CVE-2025-13064 is a vulnerability identified in Axis Communications AB's AXIS Camera Station Pro version 6, classified under CWE-248 (Uncaught Exception). The flaw allows a malicious administrator, who must have high-level privileges and use a tampered client application, to perform a server-side injection attack. This injection enables the attacker to manipulate the application to include and execute malicious scripts on the server side. The vulnerability arises because the application does not properly handle exceptions, allowing the injection to bypass normal validation or sanitization routines. The attack vector is remote and requires authenticated access with administrator privileges, but no user interaction is needed beyond the attacker using a compromised client. The CVSS v3.1 score is 4.5, reflecting a medium severity primarily due to the impact on availability (denial of service or disruption of service) without affecting confidentiality or integrity. No patches or known exploits are currently documented, but the risk exists in environments where administrators might use compromised clients, potentially due to insufficient endpoint security. This vulnerability could lead to service outages or degraded performance of the video management system, impacting surveillance operations. The lack of confidentiality or integrity impact reduces the risk of data breaches but does not eliminate operational risks. The vulnerability highlights the importance of securing administrative endpoints and ensuring robust exception handling in server applications.

For European organizations, particularly those relying on AXIS Camera Station Pro for critical video surveillance and security monitoring, this vulnerability could cause significant availability issues. Disruption or denial of service in surveillance systems can impair physical security monitoring, delay incident response, and reduce situational awareness. While confidentiality and integrity of data are not directly impacted, the loss of availability can have cascading effects on security operations, especially in sectors like transportation, government facilities, utilities, and large enterprises. The requirement for a tampered client limits the attack surface to scenarios where administrative endpoints are compromised, emphasizing the risk from insider threats or targeted endpoint attacks. Organizations with extensive Axis deployments may face operational downtime or require emergency incident response to restore service. The absence of known exploits reduces immediate risk but does not preclude future exploitation. Given the critical role of video surveillance in European critical infrastructure and public safety, even medium severity vulnerabilities warrant prompt attention.

1. Enforce strict endpoint security controls on all administrative clients, including application whitelisting, anti-malware, and integrity verification to prevent client tampering. 2. Limit administrative access to AXIS Camera Station Pro to trusted, hardened devices and networks, employing network segmentation and VPNs where appropriate. 3. Implement multi-factor authentication for all administrator accounts to reduce risk of credential compromise. 4. Monitor server logs and application behavior for anomalies indicative of injection attempts or unexpected script execution. 5. Regularly audit and update administrative client software to detect and remediate tampering or unauthorized modifications. 6. Coordinate with Axis Communications for official patches or updates addressing this vulnerability once available. 7. Develop incident response plans specifically for video management system disruptions to minimize operational impact. 8. Conduct security awareness training for administrators on risks of using compromised clients and safe operational practices. 9. Consider deploying application-layer firewalls or intrusion detection systems that can detect and block injection patterns targeting the server. 10. Maintain backups and recovery procedures for the video management system to restore service quickly if disruption occurs.