How to fix EUVD-2025-16620?

Within 24 hours: Inventory all Axis VAPIX-enabled devices in your environment and assess which are internet-accessible or contain sensitive data. Within 7 days: Implement network segmentation to restrict access to affected devices to trusted administrative networks only, and enforce strong authentication controls. Within 30 days: Monitor Axis Security Advisories for patch availability and establish a deployment plan; consider replacing critical internet-facing devices if patches remain unavailable.

Is Axis Os affected by EUVD-2025-16620?

CVE-2025-0358 is a privilege escalation vulnerability affecting Axis Communications devices that could allow unauthorized users to gain administrator access to critical network infrastructure.

EUVD-2025-16620

| CVE-2025-0358 HIGH

2025-06-02 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 14, 2026 - 16:47 euvd

EUVD-2025-16620

Analysis Generated

Mar 14, 2026 - 16:47 vuln.today

CVE Published

Jun 02, 2025 - 08:15 nvd

HIGH 8.8

Description

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration framework that allowed a privilege escalation, enabling a lower-privileged user to gain administrator privileges.

Analysis

Privilege escalation vulnerability in Axis Communications' VAPIX Device Configuration framework that allows a local, authenticated user with lower privileges to escalate to administrator-level access. Discovered during a penetration test by Truesec, this flaw affects Axis network devices and cameras utilizing the vulnerable VAPIX framework. With a CVSS score of 8.8 and local attack vector, the vulnerability poses significant risk to organizations deploying Axis devices in multi-user or untrusted environments, though it requires prior authentication and local access to exploit.

Technical Context

VAPIX (Versatile Application Program Interface for Axis devices) is Axis Communications' proprietary API framework used for device configuration and management across their network camera and appliance product lines. The vulnerability resides in the Device Configuration component of this framework and is classified under CWE-269 (Improper Access Control), indicating insufficient validation or enforcement of privilege boundaries within the configuration module. The flaw allows a principal with lower privilege level (PR:L) to perform actions restricted to administrator roles through the VAPIX interface, suggesting insufficient authorization checks or privilege boundary enforcement in the API logic. Affected CPE identifiers would include products such as Axis network cameras (AXIS P series, AXIS Q series) and video management appliances that implement VAPIX configuration services, though specific version ranges require vendor advisories for precise identification.

Affected Products

Axis Communications products utilizing the VAPIX Device Configuration framework. Based on the discovery context, affected product categories include: (1) Axis Network Cameras—P-series (compact cameras), Q-series (dome cameras), and other modular camera lines; (2) Axis Video Management Appliances and Network Video Recorders (NVRs); (3) Axis Companion devices and edge computing appliances. Specific CPE patterns would be: cpe:2.3:a:axis:vapix_device_configuration:*:*:*:*:*:*:*:* (generic VAPIX framework component); cpe:2.3:o:axis:*:*:*:*:*:*:*:*:* (Axis device firmware). Precise affected versions and product SKUs must be obtained from Axis Communications' official security advisory. The discovery was conducted via penetration testing, suggesting the vulnerability may affect multiple firmware versions across the Axis product portfolio. Customers should consult Axis Communications directly or monitor their official security advisories page for affected device models and recommended firmware updates.

Remediation

Immediate remediation requires patching Axis device firmware to versions that address the VAPIX Device Configuration privilege escalation. Specific remediation steps: (1) Identify all Axis devices in the environment and their current firmware versions; (2) Consult Axis Communications security advisories and release notes for patched firmware versions addressing CVE-2025-0358; (3) Plan and execute firmware updates following Axis's recommended upgrade procedures (typically via device management interface or centralized management tools); (4) Test patched devices in non-production environments first to ensure compatibility. Interim mitigations pending patching: (a) Restrict local/network access to VAPIX configuration interfaces to authorized administrative users only; (b) Disable remote VAPIX configuration if not required; (c) Implement strong authentication and access controls for any accounts with device access; (d) Monitor for unauthorized configuration changes through device audit logs; (e) Segment Axis devices on dedicated VLANs with restricted access policies. Workarounds are limited due to the authentication requirement; prevention of unauthorized local/network access to devices is the primary interim control. Axis Communications' official advisories and patches should be sourced from their security portal or direct communication with their support team.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +44

POC: 0

EUVD-2025-16620 vulnerability details – vuln.today

Back

EUVD-2025-16620

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

EUVD-2025-16620

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code