CVE-2025-9055 is a vulnerability identified in Axis Communications AB's AXIS OS version 12.0.0, specifically within the VAPIX Edge storage API. The flaw is categorized under CWE-250, which pertains to execution with unnecessary privileges. This vulnerability allows an attacker who has already authenticated with an administrator-privileged service account to escalate their privileges to Linux root level on the device. The vulnerability arises because the VAPIX Edge storage API executes certain operations with excessive privileges beyond what is necessary, enabling privilege escalation. Exploitation requires high privileges initially (administrator-level access) and does not require user interaction, but the attack vector is limited to local or network access where such credentials can be used. The CVSS v3.1 score is 6.4 (medium severity), reflecting the requirement for high privileges and the complexity of exploitation, but the impact on confidentiality, integrity, and availability is high since root access allows complete control over the device. No public exploits or patches are currently available, indicating that organizations must rely on compensating controls. AXIS OS is commonly used in networked security cameras and surveillance devices, making this vulnerability relevant to organizations deploying Axis products in critical infrastructure, enterprise security, and public safety environments.

The primary impact of CVE-2025-9055 is the potential for privilege escalation from an administrator-privileged user to root on devices running AXIS OS 12.0.0. Root access allows an attacker full control over the device, including the ability to modify system files, install malware, disrupt device functionality, or pivot to other networked systems. This compromises confidentiality by exposing sensitive video or data streams, integrity by allowing tampering with device configurations or logs, and availability by potentially disabling security devices. Organizations relying on Axis devices for surveillance and security may face increased risk of espionage, sabotage, or unauthorized access to physical premises. Since exploitation requires administrator credentials, the threat is heightened if credential management is weak or if attackers gain access through phishing or insider threats. The lack of known public exploits reduces immediate risk but also means organizations must proactively mitigate. The vulnerability could have cascading effects in environments where Axis devices are integrated into broader security or operational technology systems.

1. Restrict administrator-privileged account access strictly to trusted personnel and systems, implementing strong authentication mechanisms such as multi-factor authentication (MFA) where possible. 2. Monitor and audit all administrator account activities on AXIS OS devices to detect unusual or unauthorized actions promptly. 3. Segment network zones to isolate Axis devices from general user networks, limiting exposure to potential attackers. 4. Employ network-level access controls and firewall rules to restrict access to the VAPIX Edge storage API and administrative interfaces to only necessary hosts. 5. Regularly review and rotate administrator credentials to reduce the risk of credential compromise. 6. Until a vendor patch is released, consider deploying host-based intrusion detection systems (HIDS) or endpoint protection solutions capable of detecting privilege escalation attempts on these devices. 7. Engage with Axis Communications for updates and apply patches immediately once available. 8. Conduct security awareness training focused on protecting administrator credentials and recognizing phishing attempts that could lead to credential theft.