CVE-2025-5718 is a vulnerability identified in Axis Communications AB's AXIS OS version 12.0.0, specifically within the ACAP Application framework. The flaw stems from improper link resolution before file access (CWE-59), commonly known as a symlink attack. This vulnerability enables an attacker to escalate privileges on the device by exploiting the way the system handles symbolic links during file operations. However, exploitation is conditional: the Axis device must be configured to allow the installation of unsigned ACAP applications, which is not the default setting, and the attacker must convince a legitimate user to install a malicious ACAP application. The attack vector is network-based, requiring the attacker to have network access to the device. The CVSS 3.1 vector indicates low attack complexity (AC:L), but requires high privileges (PR:H) and user interaction (UI:R), meaning the attacker needs to persuade the user to install the malicious app. The impact is significant, with high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), potentially allowing full device compromise and control. No public exploits or patches are currently available, but the vulnerability is published and tracked. The vulnerability affects only version 12.0.0 of AXIS OS, and the vendor has reserved the CVE since June 2025, with publication in November 2025. This vulnerability is particularly relevant for environments where ACAP applications are used extensively and unsigned app installation is permitted, such as in customized or less strictly managed deployments.

For European organizations, the impact of CVE-2025-5718 can be substantial, especially for those relying on Axis Communications' security devices such as network cameras and access control systems running AXIS OS with ACAP enabled. Successful exploitation could lead to privilege escalation, allowing attackers to gain unauthorized control over the device, potentially compromising video surveillance integrity, confidentiality of recorded footage, and availability of security monitoring. This could facilitate further lateral movement within networks, espionage, or sabotage of physical security infrastructure. Critical sectors such as government, transportation, energy, and financial services that deploy Axis devices for surveillance and access control are at heightened risk. The requirement for user interaction and installation of a malicious app somewhat limits the attack surface but does not eliminate the threat, especially in environments where device management policies are lax or where users have elevated privileges. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future exploitation. The medium CVSS score reflects the balance between impact and exploitation complexity.

To mitigate CVE-2025-5718, European organizations should take several specific actions beyond generic patching advice: 1) Immediately review and disable the option to install unsigned ACAP applications on all Axis devices unless absolutely necessary. 2) Implement strict access controls and user privilege management to prevent unauthorized installation of applications on devices. 3) Educate users and administrators about the risks of installing unverified ACAP applications and enforce policies that restrict installation to trusted sources only. 4) Monitor network traffic and device logs for unusual activity related to ACAP application installation or execution. 5) Segment network access to Axis devices to limit exposure to potentially malicious actors. 6) Engage with Axis Communications for updates and patches addressing this vulnerability and plan timely deployment once available. 7) Consider disabling ACAP functionality if not required to reduce the attack surface. 8) Conduct regular security audits of device configurations to ensure compliance with security best practices. These targeted measures will reduce the likelihood of exploitation and limit potential damage.