CVE-2025-5452 is a vulnerability identified in Axis Communications AB's AXIS OS version 12.0.0, classified under CWE-214, which involves the invocation of processes using visible sensitive information. The flaw allows a malicious ACAP (Axis Camera Application Platform) application to gain access to admin-level service account credentials that are normally used by legitimate ACAP applications. This access can lead to privilege escalation, enabling the malicious application to perform actions with elevated permissions. The vulnerability can only be exploited if the Axis device is configured to permit the installation of unsigned ACAP applications, which is not the default setting and requires deliberate configuration changes. Additionally, exploitation requires that an attacker convince a victim to install the malicious ACAP application, although once installed, no further user interaction is necessary. The CVSS v3.1 score is 6.6 (medium severity) with vector AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, high attack complexity, high privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. No patches or exploits are currently publicly available, but the vulnerability poses a significant risk to devices configured insecurely. The root cause involves improper handling of sensitive information during process invocation, allowing credential exposure to unauthorized applications.

The potential impact of CVE-2025-5452 is significant for organizations using Axis Communications AXIS OS devices, particularly those that have enabled the installation of unsigned ACAP applications. Successful exploitation allows a malicious ACAP application to escalate privileges by accessing admin-level service account credentials, potentially compromising the confidentiality, integrity, and availability of the device and its data. This could lead to unauthorized access to surveillance feeds, manipulation or disabling of security functions, and lateral movement within the network. Given the critical role of Axis devices in physical security and surveillance, exploitation could undermine organizational security posture, lead to data breaches, and disrupt operations. The requirement for high privileges and user installation reduces the likelihood of widespread automated attacks but targeted attacks against high-value environments remain a concern. The absence of known exploits in the wild currently limits immediate risk but does not preclude future exploitation.

To mitigate CVE-2025-5452, organizations should immediately review and disable the configuration that allows installation of unsigned ACAP applications on AXIS OS devices unless absolutely necessary. Restrict ACAP application installation to only signed and verified applications from trusted sources. Implement strict access controls and monitoring on devices to detect unauthorized application installations. Employ network segmentation to isolate Axis devices from broader enterprise networks to limit lateral movement if compromised. Regularly update AXIS OS firmware and ACAP applications once vendor patches addressing this vulnerability are released. Conduct user awareness training to prevent social engineering attempts that could lead to installation of malicious applications. Additionally, audit existing ACAP applications for suspicious behavior and credentials exposure. Employ endpoint detection and response (EDR) solutions capable of monitoring Axis devices for anomalous activities related to privilege escalation attempts.