CVE-2025-0324 — Incomplete Filtering of Special Elements in Communications AB Axis OS

CWE-791 — Incomplete Filtering of Special Elements3 documents3 sources

Severity

8.8HIGHNVD

CNA9.4

EPSS

0.3%

top 42.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Axis Communications AB Axis OS Axis OS Axis OS 2024

Timeline

PublishedJun 2

Description

The VAPIX Device Configuration framework allowed a privilege escalation, enabling a lower-privileged user to gain administrator privileges.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶NVDaxis/axis_os12.0.0 — 12.3.33

▶NVDaxis/axis_os_202411.8.0 — 11.11.140

▶CVEListV5axis_communications_ab/axis_os11.8.0 — 11.11.140+1

🔴Vulnerability Details

GHSA

GHSA-8v6x-2r55-mmxr: The VAPIX Device Configuration framework allowed a privilege escalation, enabling a lower-privileged user to gain administrator privileges↗2025-06-02

▶

CVEList

CVE-2025-0324: The VAPIX Device Configuration framework allowed a privilege escalation, enabling a lower-privileged user to gain administrator privileges↗2025-06-02

▶