CVE-2025-5454 is a path traversal vulnerability classified under CWE-35 affecting AXIS OS version 12.0.0, developed by Axis Communications AB. The root cause is insufficient input validation in an ACAP (Axis Camera Application Platform) configuration file, which allows an attacker to use path traversal sequences ('.../...//') to access unauthorized filesystem locations. This can lead to privilege escalation by enabling the attacker to manipulate or overwrite sensitive files or configurations. The vulnerability requires the device to be configured to allow installation of unsigned ACAP applications, which is not the default setting, and an attacker must convince a user or administrator to install a malicious ACAP application. Once installed, the malicious application can exploit the path traversal flaw without further user interaction. The CVSS v3.1 base score is 6.4, reflecting a medium severity with high impact on confidentiality, integrity, and availability, but requiring local access (AV:L), high attack complexity (AC:H), and high privileges (PR:H). No known public exploits have been reported yet, and no patches are currently linked, indicating a need for vigilance and proactive mitigation. This vulnerability is significant because Axis devices are widely used in surveillance and security systems, and exploitation could compromise critical monitoring infrastructure.

For European organizations, this vulnerability poses a risk primarily to those deploying Axis network devices, especially in security, surveillance, and critical infrastructure sectors. Successful exploitation could lead to unauthorized access to sensitive data, manipulation of device configurations, or disruption of surveillance operations, impacting confidentiality, integrity, and availability. This could undermine physical security monitoring and incident response capabilities. The requirement for installation of unsigned ACAP applications limits the attack surface but also indicates insider threat or social engineering risks. Organizations relying on Axis devices in government, transportation, energy, and large enterprises could face operational disruptions and potential regulatory compliance issues under GDPR if personal data is compromised. The lack of known exploits suggests a window for mitigation before active attacks emerge.

European organizations should immediately audit their Axis device configurations to ensure that installation of unsigned ACAP applications is disabled unless absolutely necessary. If unsigned app installation is required, implement strict controls and verification processes for any ACAP applications installed. Monitor device logs for unusual installation activities or configuration changes. Network segmentation should isolate Axis devices from broader enterprise networks to limit lateral movement in case of compromise. Employ strong access controls and multi-factor authentication for device management interfaces. Regularly check for vendor updates or patches addressing this vulnerability and apply them promptly once available. Conduct user awareness training to prevent social engineering attempts that could lead to malicious ACAP app installation. Additionally, consider deploying endpoint detection and response (EDR) solutions capable of detecting anomalous behaviors on these devices.