CVE-2025-9524 identifies a vulnerability in the VAPIX API port.cgi component of Axis Communications AB's AXIS OS, spanning versions 6.50.0 to 12.0.0. The root cause is improper validation of input types (CWE-1287), which allows specially crafted inputs to cause process crashes, thereby affecting the availability and usability of the affected device. The vulnerability is exploitable only after authentication with a service account possessing viewer, operator, or administrator privileges, meaning attackers must first gain legitimate access to the device. The CVSS 3.1 base score is 4.3 (medium), reflecting a network attack vector with low complexity, requiring privileges but no user interaction, and impacting availability only. While no known exploits are reported in the wild, the vulnerability could be leveraged to disrupt video surveillance services by crashing processes, potentially causing denial of service conditions. This could affect security monitoring and incident response capabilities in environments relying on AXIS OS devices. The lack of patches at the time of publication necessitates interim mitigations such as strict access controls and monitoring. Given the widespread use of Axis devices in physical security, especially in critical infrastructure and enterprise environments, this vulnerability poses a tangible risk to operational continuity.

For European organizations, the primary impact is on availability of AXIS OS-based surveillance devices, which are widely deployed in sectors such as transportation, government, critical infrastructure, and corporate security. Process crashes induced by this vulnerability could lead to temporary loss of video feeds or degraded device functionality, undermining security monitoring and incident response. This can increase the risk of undetected physical security breaches or delayed reactions to incidents. Organizations with large deployments of Axis devices or those relying heavily on continuous video surveillance are particularly vulnerable. The requirement for authenticated access limits exploitation to insiders or attackers who have compromised credentials, but insider threats or lateral movement within networks could still enable exploitation. The medium severity rating reflects that while confidentiality and integrity are not impacted, availability disruptions in security systems can have significant operational consequences. Additionally, the absence of known exploits currently provides a window for proactive mitigation before exploitation becomes widespread.

1. Enforce strict access control policies to limit authentication to trusted users only, employing strong authentication mechanisms such as multi-factor authentication (MFA) for all viewer, operator, and administrator accounts. 2. Regularly audit and monitor access logs for unusual or unauthorized authentication attempts to the VAPIX API and related services. 3. Segment network access to AXIS OS devices, restricting API access to trusted management networks and minimizing exposure to untrusted networks. 4. Implement rate limiting and anomaly detection on API endpoints to detect and block malformed or suspicious input patterns that could trigger crashes. 5. Maintain an inventory of all AXIS OS devices and their firmware versions to prioritize patching once vendor updates become available. 6. Engage with Axis Communications for timely updates and apply patches promptly when released. 7. Educate administrators and operators on the importance of credential security to prevent unauthorized access. 8. Consider deploying redundancy or failover mechanisms for critical surveillance systems to mitigate availability impacts during potential crashes.