प्लेटफ़ॉर्म
other
घटक
vapix-device-configuration-framework
में ठीक किया गया
12.4.0
CVE-2025-0358 describes a Privilege Escalation vulnerability discovered within the Axis VAPIX Device Configuration framework. This flaw allows a lower-privileged user to elevate their access and gain administrator privileges, potentially compromising the entire device. The vulnerability impacts versions 12.0.0 through 12.4.0, and a fix is available in version 12.4.0.
Successful exploitation of CVE-2025-0358 grants an attacker unauthorized administrator access to the affected Axis device. This could lead to complete control over the device's configuration, including network settings, user accounts, and firmware updates. An attacker could then use this compromised device as a pivot point to access other systems on the network, potentially leading to widespread data breaches and system disruption. The impact is particularly severe in environments where Axis devices are used for critical security functions, such as surveillance or access control.
CVE-2025-0358 was discovered during a penetration test and publicly disclosed on 2025-06-02. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's nature suggests it could be relatively easy to exploit once a PoC is released.
Organizations utilizing Axis devices with the VAPIX Device Configuration framework in versions 12.0.0 through 12.4.0 are at risk. This includes deployments in surveillance systems, building management systems, and other applications where Axis devices are integrated. Legacy configurations with default or weak passwords are particularly vulnerable.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.18% (40% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-0358 is to upgrade the Axis VAPIX Device Configuration framework to version 12.4.0 or later. If immediate upgrading is not possible, consider implementing stricter access controls and privilege separation to limit the potential impact of a successful attack. Review user accounts and permissions, ensuring that only authorized personnel have administrative access. While a direct WAF rule is unlikely, network segmentation can limit lateral movement from a compromised device. After upgrading, verify the fix by attempting to execute a privileged operation with a non-administrator user account and confirming that access is denied.
Actualice AXIS OS a la versión 12.4.0 o superior. Esta actualización corrige la vulnerabilidad de escalada de privilegios en el framework VAPIX Device Configuration. Consulte el aviso de seguridad de Axis Communications para obtener más detalles.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-0358 is a vulnerability allowing a lower-privileged user to gain administrator access on Axis devices running the VAPIX Device Configuration framework.
You are affected if you are using Axis VAPIX Device Configuration framework versions 12.0.0 through 12.4.0.
Upgrade to version 12.4.0 or later to resolve the vulnerability. Implement stricter access controls as an interim measure.
There is currently no indication of active exploitation, but the vulnerability's nature suggests it could be exploited once a PoC is released.
Refer to the official Axis security advisory for detailed information and updates: [https://www.axis.com/support/security-advisories](https://www.axis.com/support/security-advisories)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।