CVE-2025-5452 is a vulnerability identified in Axis Communications AB's AXIS OS, specifically version 12.0.0, affecting devices that support ACAP (Axis Camera Application Platform) applications. The core issue relates to CWE-214, which involves the invocation of processes using visible sensitive information. In this case, a malicious ACAP application can gain access to admin-level service account credentials that are intended for legitimate ACAP applications. This credential exposure occurs because the process invocation leaks sensitive information that can be intercepted or accessed by the malicious app. The exploitation scenario requires two conditions: first, the Axis device must be configured to allow installation of unsigned ACAP applications, which is not the default and represents a security risk; second, an attacker must convince a legitimate user or administrator to install the malicious ACAP application on the device. Once installed, the malicious app can escalate its privileges by leveraging the exposed credentials, potentially gaining administrative control over the device. This can lead to unauthorized access, manipulation of device settings, interception or tampering of video streams, and disruption of device availability. The CVSS v3.1 score is 6.6 (medium severity), reflecting network attack vector, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits are known at this time, but the vulnerability represents a significant risk if exploited. The lack of available patches or updates at the time of publication underscores the need for configuration-based mitigations.

For European organizations, especially those relying on Axis network cameras and devices for physical security, this vulnerability poses a risk of unauthorized administrative access and control. Compromise of these devices can lead to breaches of sensitive surveillance data, manipulation or disabling of security monitoring, and potential lateral movement within networks. Critical infrastructure, government facilities, transportation hubs, and enterprises using Axis devices for security monitoring are particularly vulnerable. The ability to escalate privileges via a malicious ACAP app could allow attackers to bypass security controls, disrupt operations, or conduct espionage. Given the requirement for user installation of unsigned apps, social engineering or insider threats are likely vectors. The impact extends beyond confidentiality to integrity and availability, potentially undermining trust in physical security systems and exposing organizations to regulatory and compliance risks under GDPR and other data protection laws.

1. Disable the installation of unsigned ACAP applications on all Axis devices to prevent unauthorized or malicious apps from being installed. 2. Restrict ACAP application deployment to trusted, signed applications only, preferably sourced directly from Axis or verified vendors. 3. Implement strict access controls and user training to reduce the risk of social engineering attacks that could lead to installation of malicious apps. 4. Monitor device logs and network traffic for unusual ACAP application behavior or unauthorized installation attempts. 5. Segment Axis devices on dedicated network segments with limited access to reduce potential lateral movement. 6. Regularly review and update device configurations to ensure security best practices are enforced. 7. Engage with Axis Communications for updates or patches addressing this vulnerability and apply them promptly once available. 8. Consider deploying endpoint detection and response (EDR) solutions that can detect anomalous behavior on devices running ACAP applications.