Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-30027

Summary
Assigner-Axis
Assigner Org ID-f2daf9a0-02c2-4b83-a01d-63b3b304b807
Published At-12 Aug, 2025 | 05:18
Updated At-14 Aug, 2025 | 03:56
Rejected At-
Credits

An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Axis
Assigner Org ID:f2daf9a0-02c2-4b83-a01d-63b3b304b807
Published At:12 Aug, 2025 | 05:18
Updated At:14 Aug, 2025 | 03:56
Rejected At:
▼CVE Numbering Authority (CNA)

An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

Affected Products
Vendor
Axis Communications AB
Product
AXIS OS
Default Status
unaffected
Versions
Affected
  • From 12.0.0 before 12.3.36 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-1287CWE-1287: Improper Validation of Specified Type of Input
Type: CWE
CWE ID: CWE-1287
Description: CWE-1287: Improper Validation of Specified Type of Input
Metrics
VersionBase scoreBase severityVector
3.16.7MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 6.7
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
URCQ
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.axis.com/dam/public/ab/9a/a5/cve-2025-30027pdf-en-US-492762.pdf
N/A
Hyperlink: https://www.axis.com/dam/public/ab/9a/a5/cve-2025-30027pdf-en-US-492762.pdf
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:product-security@axis.com
Published At:12 Aug, 2025 | 06:15
Updated At:12 Aug, 2025 | 14:25

An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.7MEDIUM
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 6.7
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-1287Secondaryproduct-security@axis.com
CWE ID: CWE-1287
Type: Secondary
Source: product-security@axis.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://www.axis.com/dam/public/ab/9a/a5/cve-2025-30027pdf-en-US-492762.pdfproduct-security@axis.com
N/A
Hyperlink: https://www.axis.com/dam/public/ab/9a/a5/cve-2025-30027pdf-en-US-492762.pdf
Source: product-security@axis.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2025-3892
Matching Score-8
Assigner-Axis Communications AB
ShareView Details
Matching Score-8
Assigner-Axis Communications AB
CVSS Score-6.7||MEDIUM
EPSS-0.02% / 2.22%
||
7 Day CHG~0.00%
Published-12 Aug, 2025 | 05:14
Updated-14 Aug, 2025 | 03:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

ACAP applications can be executed with elevated privileges, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

Action-Not Available
Vendor-Axis Communications AB
Product-AXIS OS
CWE ID-CWE-250
Execution with Unnecessary Privileges
CVE-2025-0325
Matching Score-6
Assigner-Axis Communications AB
ShareView Details
Matching Score-6
Assigner-Axis Communications AB
CVSS Score-4.3||MEDIUM
EPSS-0.07% / 22.80%
||
7 Day CHG~0.00%
Published-02 Jun, 2025 | 07:36
Updated-02 Jun, 2025 | 17:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Guard Tour VAPIX API parameter allowed the use of arbitrary values and can be incorrectly called, allowing an attacker to block access to the guard tour configuration page in the web interface of the Axis device.

Action-Not Available
Vendor-Axis Communications AB
Product-AXIS OS
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CWE ID-CWE-628
Function Call with Incorrectly Specified Arguments
CVE-2024-47262
Matching Score-6
Assigner-Axis Communications AB
ShareView Details
Matching Score-6
Assigner-Axis Communications AB
CVSS Score-5.3||MEDIUM
EPSS-0.12% / 31.07%
||
7 Day CHG~0.00%
Published-04 Mar, 2025 | 05:19
Updated-28 Mar, 2025 | 07:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dzmitry Lukyanenka, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API param.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the web interface of the Axis device. Other API endpoints or services not making use of param.cgi are not affected. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Action-Not Available
Vendor-Axis Communications AB
Product-AXIS OS
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
CVE-2024-47261
Matching Score-6
Assigner-Axis Communications AB
ShareView Details
Matching Score-6
Assigner-Axis Communications AB
CVSS Score-4.3||MEDIUM
EPSS-0.11% / 30.12%
||
7 Day CHG~0.00%
Published-08 Apr, 2025 | 05:33
Updated-08 Apr, 2025 | 14:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

51l3nc3, a member of the AXIS OS Bug Bounty Program, has found that the VAPIX API uploadoverlayimage.cgi did not have sufficient input validation to allow an attacker to upload files to block access to create image overlays in the web interface of the Axis device.

Action-Not Available
Vendor-Axis Communications AB
Product-AXIS OS
CWE ID-CWE-1287
Improper Validation of Specified Type of Input
Details not found