CVE-2025-0359
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-0359 is a vulnerability in the ACAP Application framework used in Axis Communication products running AXIS OS. Discovered by Truesec during an annual penetration test on behalf of Axis, the flaw enables applications to access restricted D-Bus methods within the framework, violating access controls. It is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 8.5 (AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L), indicating high severity due to its potential for integrity compromise across security scopes.
Local attackers with unprivileged access can exploit this vulnerability with low complexity and no user interaction required. By leveraging malicious ACAP applications, they can invoke restricted D-Bus methods, resulting in low-level confidentiality and availability impacts alongside high integrity impact. The scope change (S:C) amplifies the risk, as exploitation affects components beyond the vulnerable framework.
Axis has addressed the issue by releasing patched versions of AXIS OS. Security practitioners should consult the official Axis security advisory at https://www.axis.com/dam/public/68/08/c5/cve-2025-0359pdf-en-US-466885.pdf for detailed patch information, affected product lists, and upgrade instructions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows unprivileged local attackers to invoke restricted D-Bus methods via malicious ACAP applications due to incorrect authorization (CWE-863), directly enabling privilege escalation with scope change and high integrity impact.