CVE-2025-9055 is a vulnerability identified in Axis Communications AB's AXIS OS, version 12.0.0, affecting the VAPIX Edge storage API. The flaw is categorized under CWE-250, which involves execution with unnecessary privileges. Specifically, the vulnerability allows an attacker who has already authenticated with an administrator-privileged service account to escalate their privileges to Linux root level. This escalation occurs because the VAPIX Edge storage API executes certain operations with excessive privileges beyond what is necessary, enabling privilege escalation. The vulnerability does not require user interaction beyond authentication and has a CVSS v3.1 score of 6.4, reflecting medium severity. The attack vector is local (AV:L), requiring high attack complexity (AC:H) and high privileges (PR:H), but no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H) because root access allows full system control. No public exploits or patches are currently available, but the vulnerability is published and reserved since August 2025. AXIS OS is commonly used in network video products such as IP cameras and video encoders, which are often deployed in security-sensitive environments. The vulnerability's exploitation could lead to full system compromise, enabling attackers to manipulate video streams, disable security monitoring, or use the device as a pivot point for further network intrusion.

For European organizations, this vulnerability poses a significant risk especially in sectors relying on Axis network video devices for physical security, such as government facilities, transportation hubs, utilities, and critical infrastructure. Successful exploitation would allow an attacker with administrator-level access to gain root privileges, potentially leading to unauthorized surveillance manipulation, disabling of security devices, or lateral movement within the network. This could compromise sensitive data confidentiality, disrupt security monitoring availability, and undermine system integrity. Given the requirement for administrator-level credentials, insider threats or compromised administrative accounts are the primary risk vectors. The medium severity score reflects the balance between the high impact of root access and the high complexity and privilege requirements to exploit. However, the widespread use of Axis devices in Europe and their strategic deployment in critical sectors amplify the potential impact. Organizations may face regulatory and compliance consequences if such devices are compromised, especially under GDPR and NIS Directive frameworks.

1. Restrict administrative access to AXIS OS devices strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) for administrator accounts. 2. Monitor and audit administrator account activities regularly to detect any unusual or unauthorized access attempts. 3. Segment network zones to isolate Axis devices from broader enterprise networks, limiting lateral movement opportunities if a device is compromised. 4. Implement strict access controls and use network-level protections such as firewalls and VPNs to limit access to the VAPIX API interfaces. 5. Stay informed about Axis Communications' security advisories and apply patches or firmware updates promptly once released. 6. Consider deploying endpoint detection and response (EDR) solutions capable of detecting privilege escalation behaviors on devices running AXIS OS. 7. Conduct regular security assessments and penetration testing focusing on physical security devices and their management interfaces. 8. If possible, disable or restrict unnecessary API functionalities that require elevated privileges to reduce the attack surface.