CVE-2025-3892 is a security vulnerability identified in Axis Communications AB's AXIS OS version 12.0.0, specifically related to the execution of ACAP (Axis Camera Application Platform) applications with unnecessarily elevated privileges. The root cause is that ACAP applications, when installed on the device, run with higher privileges than required, violating the principle of least privilege (CWE-250). This flaw can be exploited only if the device is configured to allow installation of unsigned ACAP applications, which is not the default setting, and if an attacker successfully convinces a user or administrator to install a malicious ACAP application. Once installed, the malicious application can execute with elevated privileges, potentially leading to privilege escalation, allowing the attacker to gain unauthorized access to sensitive device functions or data, manipulate device behavior, or disrupt operations. The CVSS 3.1 base score is 6.7, reflecting a medium severity with a vector indicating local attack vector (AV:L), low attack complexity (AC:L), high privileges required (PR:H), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No known exploits have been reported in the wild, and no patches are currently linked, suggesting that mitigation relies on configuration changes and monitoring until a vendor patch is released. This vulnerability highlights the risks associated with executing applications with excessive privileges and the importance of restricting installation of unsigned software on embedded devices.

The potential impact of CVE-2025-3892 is significant for organizations using Axis Communications devices running AXIS OS 12.0.0 with ACAP enabled and configured to allow unsigned application installation. Successful exploitation can lead to privilege escalation, enabling attackers to gain unauthorized control over the device, access sensitive video streams or device configurations, and potentially pivot within the network. This compromises confidentiality, integrity, and availability of the device and its data. In environments where these devices are used for physical security, surveillance, or critical infrastructure monitoring, such compromise could lead to unauthorized surveillance, disruption of security monitoring, or manipulation of device functions. Although exploitation requires local access or convincing a user to install a malicious app, the medium severity and high impact on core security properties make this a notable risk. Organizations with lax ACAP installation policies or insufficient user training are particularly vulnerable. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time.

To mitigate CVE-2025-3892 effectively, organizations should immediately review and harden their Axis device configurations by disabling the installation of unsigned ACAP applications, which is the primary exploitation vector. Restrict ACAP application installation to only signed and verified applications from trusted sources. Implement strict access controls and user permissions to limit who can install or manage ACAP applications on devices. Conduct user awareness training to prevent social engineering attempts that could lead to installation of malicious applications. Monitor device logs and network traffic for unusual activity indicative of unauthorized application installation or privilege escalation attempts. Regularly check for and apply firmware or software updates from Axis Communications as patches become available. Additionally, segment the network to isolate Axis devices from critical infrastructure and sensitive data to limit potential lateral movement if a device is compromised. Employ endpoint detection and response (EDR) solutions where possible to detect anomalous behaviors on these devices.