CVE-2025-0358 is a high-severity vulnerability identified in the AXIS OS, specifically version 12.0.0, developed by Axis Communications AB. The flaw resides in the VAPIX Device Configuration framework, which is part of the device management interface. The vulnerability is classified under CWE-269: Improper Privilege Management, indicating that the system fails to adequately restrict user privileges. During an annual penetration test conducted by Truesec on behalf of Axis Communications, it was discovered that a user with lower privileges could exploit this flaw to escalate their privileges to administrator level without requiring user interaction. The CVSS 3.1 base score of 8.8 reflects the critical nature of this vulnerability, with metrics indicating that the attack vector is local (AV:L), attack complexity is low (AC:L), privileges required are low (PR:L), no user interaction is needed (UI:N), and the scope is changed (S:C). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), meaning an attacker gaining administrator privileges could fully control the device, access sensitive data, modify configurations, or disrupt device operations. AXIS OS is commonly used in network video products such as IP cameras and video encoders, which are often deployed in security and surveillance infrastructures. The vulnerability's exploitation could allow an attacker to manipulate video feeds, disable security monitoring, or use the compromised device as a foothold for further network intrusion. No public exploits are currently known in the wild, and no official patches have been linked yet, indicating that organizations should prioritize monitoring and mitigation efforts proactively.

For European organizations, the impact of CVE-2025-0358 is significant due to the widespread use of Axis Communications' surveillance equipment in critical infrastructure, government facilities, transportation hubs, and commercial enterprises. Unauthorized administrative access to these devices could lead to severe breaches of physical security, privacy violations, and potential sabotage of surveillance systems. This could undermine trust in security operations and expose organizations to regulatory penalties under GDPR if personal data is compromised. Additionally, compromised devices could serve as entry points for lateral movement within corporate or governmental networks, increasing the risk of broader cyberattacks. Given the high confidentiality, integrity, and availability impact, organizations relying on AXIS OS devices must consider this vulnerability a critical risk to their operational security posture.

1. Immediate mitigation should include restricting local access to AXIS OS devices to trusted personnel only, as the attack vector is local. 2. Implement network segmentation to isolate surveillance devices from critical network segments, limiting potential lateral movement if a device is compromised. 3. Monitor device logs and network traffic for unusual administrative activity or privilege escalations. 4. Apply strict access controls and enforce the principle of least privilege for all users interacting with these devices. 5. Coordinate with Axis Communications for timely patch deployment once available; in the interim, consider temporary compensating controls such as disabling unnecessary services or interfaces that provide local access. 6. Conduct regular security audits and penetration testing focused on surveillance infrastructure to detect similar privilege escalation paths. 7. Educate staff on the risks of local device access and enforce physical security controls to prevent unauthorized access to devices.