CVE-2025-0360
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-0360 is a vulnerability in the VAPIX Device Configuration framework used by Axis Communication products, where a flaw can result in an incorrect user privilege level within the VAPIX service account D-Bus API. Discovered by Truesec during an annual penetration test on behalf of Axis, this issue corresponds to CWE-863 (Incorrect Authorization) and carries a CVSS v3.1 base score of 7.8 (High), reflecting local vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).
The vulnerability can be exploited by a local attacker with low-level privileges on an affected Axis device. By leveraging the flaw in the D-Bus API, such an attacker can elevate their privileges, potentially gaining unauthorized access to sensitive data, modifying system configurations, or disrupting device operations, as indicated by the high impact ratings across confidentiality, integrity, and availability.
Axis Communications has published an advisory detailing the issue and mitigation steps, available at https://www.axis.com/dam/public/b1/fe/46/cve-2025-0360pdf-en-US-466887.pdf. Security practitioners should consult this document for specific patch information, workarounds, and affected product versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a local privilege escalation flaw (CWE-863 Incorrect Authorization) in the VAPIX D-Bus API that allows a low-privileged local attacker to elevate privileges and impact confidentiality, integrity, and availability, directly mapping to exploitation of a software vulnerability for privilege escalation.