CVE-2025-0359

Published Mar 4, 2025

Last updated 2 months ago

CVSS high 8.5

Overview

Description
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application framework that allowed applications to access restricted D-Bus methods within the framework. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Source
product-security@axis.com
NVD status
Analyzed
Products
axis_os, axis_os_2024

Risk scores

CVSS 3.1

Type
Primary
Base score
5.5
Impact score
3.6
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Severity
MEDIUM

Weaknesses

product-security@axis.com
CWE-863

Social media

Hype score
Not currently trending

  1. 🚨 CVE-2025-0359 🔴 HIGH (8.5) 🏢 Axis Communications AB - AXIS OS 🏗️ 11.11 - 12.1 🔗 https://t.co/1kniDSXp0K #CyberCron #VulnAlert #InfoSec https://t.co/tWo2Mo7h9d

    @cybercronai

    4 Mar 2025

    8 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account.CVE-2025-11142
  2. An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.CVE-2025-8108
  3. An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.CVE-2025-6779
  4. ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.CVE-2025-6298
  5. The ACAP Application framework could allow privilege escalation through a symlink attack. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.CVE-2025-5718

References

Sources include official advisories and independent security research.