CVE-2025-30027 is a medium-severity vulnerability affecting AXIS OS version 12.0.0, developed by Axis Communications AB. The vulnerability arises from improper validation of input types in ACAP (Axis Camera Application Platform) configuration files, classified under CWE-1287. Specifically, the system does not sufficiently validate the type of input provided in these configuration files, which can lead to arbitrary code execution. Exploitation requires that the Axis device is configured to permit installation of unsigned ACAP applications, which is not the default setting and represents a deliberate relaxation of security controls. Furthermore, exploitation necessitates that an attacker convinces a legitimate user or administrator to install a malicious ACAP application, implying a social engineering component. The CVSS 3.1 base score is 6.7, reflecting a medium severity with the vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating that the attack requires local access, low attack complexity, high privileges, no user interaction, unchanged scope, and results in high confidentiality, integrity, and availability impacts. No known exploits are currently reported in the wild, and no patches have been published at the time of this analysis. The vulnerability could allow attackers with local high privileges to execute arbitrary code, potentially compromising the device and any connected systems or networks. Given that Axis devices are commonly used for video surveillance and security monitoring, successful exploitation could undermine physical security and privacy protections.

For European organizations, this vulnerability poses a significant risk primarily to entities relying on Axis Communications' surveillance devices running AXIS OS 12.0.0, especially if these devices are configured to allow unsigned ACAP applications. The potential impact includes unauthorized code execution on security cameras or related devices, which could lead to manipulation or disabling of surveillance feeds, data exfiltration, or pivoting to other internal systems. This could compromise physical security monitoring in critical infrastructure, government facilities, transportation hubs, and corporate environments. The confidentiality, integrity, and availability of surveillance data could be severely affected, undermining trust in security operations. Additionally, since exploitation requires local access and high privileges, insider threats or attackers who have already breached perimeter defenses could leverage this vulnerability to escalate control over security devices. The lack of user interaction reduces the likelihood of accidental exploitation but does not eliminate risk from targeted attacks. The absence of known exploits in the wild suggests that the threat is currently theoretical but warrants proactive mitigation given the critical role of these devices in security.

European organizations should first verify whether their Axis devices are running AXIS OS version 12.0.0 and assess if the configuration permits installation of unsigned ACAP applications. If so, immediate steps should be taken to disable the installation of unsigned ACAP applications unless absolutely necessary. Organizations should enforce strict access controls to limit local administrative privileges on these devices, ensuring that only trusted personnel can install or modify ACAP applications. Implementing network segmentation to isolate surveillance devices from general IT networks can reduce the risk of lateral movement. Monitoring and logging installation activities on Axis devices should be enhanced to detect any unauthorized or suspicious ACAP application installations. Since no official patches are currently available, organizations should engage with Axis Communications for updates or workarounds and consider applying any vendor-recommended mitigations as they become available. Additionally, user training to recognize social engineering attempts aimed at convincing administrators to install malicious applications is critical. Regular audits of device configurations and installed applications will help identify and remediate potential risks proactively.