CVE-2025-5454 is a path traversal vulnerability identified in the ACAP configuration file handling of Axis Communications AB's AXIS OS, specifically version 12.0.0. The root cause is insufficient input validation of file paths, allowing an attacker to use path traversal sequences ('.../...//') to access files and directories outside the intended scope. This can lead to privilege escalation by enabling unauthorized access or modification of sensitive system files. The vulnerability is contingent upon two key conditions: the Axis device must be configured to allow installation of unsigned ACAP applications, and an attacker must convince a user or administrator to install a malicious ACAP application. ACAP (Axis Camera Application Platform) allows custom applications to run on Axis devices, and unsigned apps bypass signature verification, increasing risk. The CVSS 3.1 base score is 6.4 (medium), reflecting that exploitation requires local access with high privileges (AV:L, PR:H), high attack complexity (AC:H), no user interaction (UI:N), and impacts confidentiality, integrity, and availability (C:H/I:H/A:H). No public exploits are known, and no patches have been published yet. The vulnerability is tracked under CWE-35 (Path Traversal). Given the nature of Axis devices—commonly used in surveillance and security systems—this vulnerability could allow attackers to escalate privileges and potentially control or disrupt device operations if exploited.

For European organizations, the impact of CVE-2025-5454 could be significant, especially for those relying on Axis network devices for security surveillance and building management. Successful exploitation could lead to unauthorized access to sensitive files, modification of device configurations, or disruption of device availability, undermining physical security and operational continuity. This could affect critical infrastructure sectors such as transportation, government facilities, energy, and finance, where Axis devices are widely deployed. The requirement for local high-privilege access and installation of malicious unsigned ACAP apps limits the attack surface but does not eliminate risk, particularly in environments with weak internal controls or social engineering vulnerabilities. Compromise of these devices could also serve as a foothold for lateral movement within networks, increasing overall organizational risk.

European organizations should immediately audit their Axis device configurations to ensure that the installation of unsigned ACAP applications is disabled unless absolutely necessary. Where unsigned app installation is required, strict controls and validation processes should be enforced to prevent unauthorized app deployment. Network segmentation should be applied to isolate Axis devices from broader enterprise networks, limiting access to trusted administrators only. Monitoring and logging of ACAP application installations and device configuration changes should be enabled to detect suspicious activities. Organizations should maintain up-to-date inventories of Axis devices and apply vendor patches promptly once available. Additionally, user training to prevent social engineering attacks that could lead to malicious app installation is critical. Employing endpoint protection and network intrusion detection systems to identify anomalous behavior on Axis devices can further reduce risk.