CVE-2025-6298 is a vulnerability identified in Axis Communications AB's AXIS OS version 12.0.0, specifically involving the Axis Camera Application Platform (ACAP). The root cause is improper validation of the specified type of input (CWE-1287) within ACAP applications, which can be exploited to gain elevated privileges on the device. This privilege escalation occurs because the system fails to properly validate input types when installing or running ACAP applications, allowing a malicious ACAP app to execute with higher privileges than intended. However, exploitation prerequisites include that the Axis device must be configured to permit the installation of unsigned ACAP applications, which is not the default setting, and an attacker must convince a user or administrator to install a malicious ACAP application. Once installed, the malicious app can escalate privileges without requiring further user interaction. The vulnerability affects confidentiality, integrity, and availability of the device and potentially the network it is connected to, as attackers could gain control over the device’s functions or data. The CVSS v3.1 score is 6.7 (medium), with vector AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating local access is required, low attack complexity, high privileges needed, no user interaction post-installation, and significant impact on confidentiality, integrity, and availability. No public exploits or patches are currently available, emphasizing the need for proactive mitigation. This vulnerability is particularly relevant for organizations deploying Axis devices in sensitive environments where ACAP applications are used and unsigned app installation is enabled.

For European organizations, this vulnerability poses a significant risk to security and operational continuity, especially for those relying on Axis devices for surveillance, access control, or other security functions. Successful exploitation could allow attackers to escalate privileges on the device, potentially leading to unauthorized access to video feeds, manipulation of device settings, or disruption of security monitoring. This could compromise physical security, violate privacy regulations such as GDPR due to unauthorized data access, and undermine trust in security infrastructure. Critical sectors such as government, transportation, energy, and finance that deploy Axis devices extensively could face operational disruptions or data breaches. The requirement for local access and installation of a malicious ACAP app limits remote exploitation but insider threats or social engineering attacks could facilitate exploitation. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time. The medium severity rating reflects a balance between the impact of exploitation and the complexity of attack conditions.

European organizations should immediately audit their Axis device configurations to verify whether installation of unsigned ACAP applications is enabled and disable this feature if not strictly necessary. Restrict physical and network access to Axis devices to trusted personnel only, minimizing the risk of local exploitation. Implement strict application whitelisting and code signing policies for ACAP applications to prevent unauthorized or malicious app installation. Monitor device logs for unusual ACAP installation activities or privilege escalations. Coordinate with Axis Communications for timely updates and patches once they become available and apply them promptly. Conduct user awareness training to prevent social engineering attacks that could lead to installation of malicious ACAP apps. Consider network segmentation to isolate Axis devices from critical infrastructure and sensitive networks. Employ endpoint detection and response (EDR) tools capable of detecting anomalous behavior on devices running AXIS OS. Regularly review and update security policies governing IoT and surveillance devices to incorporate emerging threats and vulnerabilities.