CVE-2025-5454 is a path traversal vulnerability identified in Axis Communications AB's AXIS OS version 12.0.0, specifically related to the handling of ACAP (Axis Camera Application Platform) configuration files. The root cause is insufficient input validation that fails to properly sanitize path inputs containing sequences such as '.../...//', enabling an attacker to traverse directories outside the intended scope. This can allow unauthorized access to sensitive files or directories, potentially leading to privilege escalation on the device. However, exploitation is conditional: the Axis device must be configured to allow installation of unsigned ACAP applications, which is not the default setting, and the attacker must convince a legitimate user or administrator to install a malicious ACAP application. The vulnerability is classified under CWE-35 (Path Traversal). The CVSS v3.1 score is 6.4, indicating medium severity, with vector AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H, meaning the attack requires local access, high attack complexity, high privileges, no user interaction, and impacts confidentiality, integrity, and availability. No public exploits or patches are currently available, so mitigation relies on configuration management and monitoring. This vulnerability poses a risk primarily to organizations deploying Axis devices with ACAP enabled and unsigned app installation permitted, such as surveillance systems in critical infrastructure or enterprise environments.

The potential impact of CVE-2025-5454 includes unauthorized access to sensitive files and directories on Axis devices, leading to privilege escalation. This can compromise the confidentiality of sensitive data stored or processed by the device, integrity of system configurations or logs, and availability of the device if malicious actions disrupt normal operations. Organizations relying on Axis surveillance or security devices with ACAP enabled and unsigned app installation allowed could face risks of device takeover, data leakage, or disruption of security monitoring functions. Given the medium severity and the requirement for local access with high privileges, the threat is more significant in environments where physical or network access to devices is possible by attackers or insiders. The lack of known exploits reduces immediate risk, but the potential for targeted attacks in critical infrastructure sectors or enterprises using these devices remains. Failure to mitigate could lead to compromise of security monitoring systems, undermining overall organizational security posture.

To mitigate CVE-2025-5454, organizations should: 1) Disable the installation of unsigned ACAP applications on all Axis devices unless absolutely necessary; 2) Enforce strict access controls to limit who can install or manage ACAP applications, ensuring only trusted administrators have such privileges; 3) Monitor device logs and network traffic for unusual installation attempts or unauthorized application deployments; 4) Implement network segmentation to restrict access to Axis devices from untrusted networks or users; 5) Regularly audit device configurations to verify that unsigned app installation remains disabled; 6) Stay informed on vendor updates and apply patches promptly once available; 7) Educate users and administrators about the risks of installing unverified applications; 8) Consider deploying endpoint detection and response (EDR) solutions that can detect anomalous behaviors on devices; 9) If unsigned app installation is required, use cryptographic signing and verification processes to ensure application integrity; 10) Conduct penetration testing and vulnerability assessments focused on Axis devices to identify potential exploitation paths.