CVE-2025-4645 is a vulnerability identified in Axis Communications AB's AXIS OS, specifically version 12.0.0, involving improper validation of the specified type of input in ACAP configuration files (CWE-1287). ACAP (Axis Camera Application Platform) allows for custom applications to run on Axis devices. The vulnerability arises because the ACAP configuration file does not sufficiently validate input types, which can be exploited to execute arbitrary code on the device. However, exploitation is conditional: the Axis device must be configured to permit installation of unsigned ACAP applications, and an attacker must convince the victim to install a malicious ACAP application. The CVSS 3.1 base score is 6.7 (medium severity), with attack vector local, low attack complexity, high privileges required, no user interaction, and impacts rated high on confidentiality, integrity, and availability. No public exploits are known at this time. This vulnerability could allow attackers with local access or social engineering capabilities to compromise the device’s operating system, potentially gaining full control and disrupting surveillance or network operations. The lack of input validation in configuration files is a critical security flaw, especially in devices deployed in sensitive environments. Since Axis devices are widely used in security and surveillance, this vulnerability poses a significant risk if not mitigated properly.

The potential impact of CVE-2025-4645 is significant for organizations relying on Axis devices for surveillance, security, and network monitoring. Successful exploitation could lead to arbitrary code execution, allowing attackers to take full control of the device, access sensitive video feeds, manipulate device configurations, or disrupt device availability. This compromises confidentiality, integrity, and availability of surveillance data and network operations. In critical infrastructure environments, such as transportation hubs, government facilities, or industrial sites, this could lead to severe operational disruptions or espionage. The requirement for local access or convincing a user to install a malicious application limits remote exploitation but does not eliminate risk, especially in environments where device management is distributed or less controlled. The absence of known exploits suggests a window for proactive mitigation before widespread attacks occur.

To mitigate CVE-2025-4645, organizations should immediately review and disable the installation of unsigned ACAP applications on all Axis devices unless absolutely necessary. Restrict device access to trusted administrators only and enforce strict application signing policies. Monitor and audit ACAP application installations to detect unauthorized or suspicious activity. Apply any vendor-released patches or firmware updates addressing this vulnerability as soon as they become available. Additionally, implement network segmentation to isolate Axis devices from general user networks, reducing the risk of local exploitation. Educate users and administrators about the risks of installing unsigned or unverified applications on these devices. Employ endpoint protection and intrusion detection systems to monitor for anomalous behavior indicative of exploitation attempts. Regularly review device configurations and logs for signs of compromise.