CVE-2025-0360

Published Mar 4, 2025

Last updated 2 months ago

CVSS high 7.8

Overview

Description
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration framework that could lead to an incorrect user privilege level in the VAPIX service account D-Bus API.
Source
product-security@axis.com
NVD status
Analyzed
Products
axis_os, axis_os_2024

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

product-security@axis.com
CWE-863

Social media

Hype score
Not currently trending

  1. CVE-2025-0360 During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration framework that could lead to an… https://t.co/2wv1yvNp77

    @CVEnew

    5 Mar 2025

    100 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 🚨 CVE-2025-0360 🔴 HIGH (7.8) 🏢 Axis Communications AB - AXIS OS 🏗️ 11.11 - 12.1 🔗 https://t.co/CY6E68dDxO #CyberCron #VulnAlert #InfoSec https://t.co/5rVxyqBQxu

    @cybercronai

    4 Mar 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. The VAPIX API mediaclip.cgi that did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator- privileged service account.CVE-2025-11142
  2. An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.CVE-2025-8108
  3. An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.CVE-2025-6779
  4. ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.CVE-2025-6298
  5. The ACAP Application framework could allow privilege escalation through a symlink attack. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.CVE-2025-5718

References

Sources include official advisories and independent security research.