CVE-2025-0361 — Observable Discrepancy in Communications AB Axis OS

CWE-203 — Observable Discrepancy CWE-122 — Heap-based Buffer Overflow4 documents4 sources

Severity

5.3MEDIUMNVD

CNA4.3

EPSS

0.2%

top 57.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Axis Communications AB Axis OS Axis OS Axis OS 2024

Timeline

PublishedApr 8

Description

During an annual penetration test conducted on behalf of Axis Communications, Truesec discovered a flaw in the VAPIX Device Configuration framework that allowed for unauthenticated username enumeration through the VAPIX Device Configuration SSH Management API.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5axis_communications_ab/axis_os11.11.0 — 11.11.141+1

▶NVDaxis/axis_os11.11.0 — 12.3.56

▶NVDaxis/axis_os_2024< 11.11.141

🔴Vulnerability Details

CVEList

CVE-2025-0361: During an annual penetration test conducted on behalf of Axis Communications, Truesec discovered a flaw in the VAPIX Device Configuration framework th↗2025-04-08

▶

GHSA

GHSA-294x-x7jx-8864: During an annual penetration test conducted on behalf of Axis Communications, Truesec discovered a flaw in the VAPIX Device Configuration framework th↗2025-04-08

▶

📋Vendor Advisories

Microsoft

Heap-based Buffer Overflow in vim/vim↗2022-01-11

▶