CVE-2025-12757 is a path traversal vulnerability classified under CWE-22, found in AXIS Camera Station Pro version 6, a video management software by Axis Communications AB. The flaw arises from improper limitation of pathname inputs, allowing a non-administrative user to manipulate file paths to access files or information outside their permitted directories. This bypasses intended access controls, potentially exposing sensitive configuration files, logs, or other data that should remain restricted. The vulnerability requires low attack complexity and no user interaction, but does require the attacker to have some level of privileges (non-admin user). The CVSS 3.1 base score is 4.6, reflecting limited confidentiality and integrity impact without availability effects. No public exploits or active exploitation campaigns have been reported to date. The vulnerability was reserved in November 2025 and published in February 2026. The absence of patches at the time of reporting suggests organizations must rely on compensating controls until official fixes are released. Given the nature of video management systems, unauthorized access to data could lead to privacy violations, intelligence gathering by adversaries, or further lateral movement within networks.

For European organizations, the impact of CVE-2025-12757 could be significant in sectors relying on AXIS Camera Station Pro for surveillance and security monitoring, such as government facilities, transportation hubs, critical infrastructure, and private enterprises. Unauthorized access to sensitive video management data could compromise operational security, reveal surveillance configurations, or expose personal data protected under GDPR. Although the vulnerability does not allow full administrative control or denial of service, the confidentiality breach risks could facilitate espionage, insider threats, or compliance violations. The medium severity score indicates a moderate risk, but the strategic importance of surveillance systems in Europe elevates the potential consequences. Organizations failing to address this vulnerability may face regulatory penalties and reputational damage if data exposure occurs.

1. Immediately audit and restrict user privileges within AXIS Camera Station Pro to the minimum necessary, ensuring non-admin users cannot access sensitive directories. 2. Implement network segmentation to isolate surveillance management systems from general user networks, reducing the attack surface. 3. Monitor file access logs and system behavior for unusual or unauthorized attempts to access restricted files or directories. 4. Apply application-layer controls such as web application firewalls (WAFs) to detect and block path traversal attempts. 5. Engage with Axis Communications for official patches or updates and prioritize their deployment once available. 6. Conduct regular security assessments and penetration testing focused on access control weaknesses in surveillance infrastructure. 7. Educate system administrators on secure configuration practices and the risks associated with path traversal vulnerabilities. 8. Consider deploying endpoint detection and response (EDR) solutions on servers hosting AXIS Camera Station Pro to detect lateral movement attempts.