CVE-2025-4645

CWE-1287CWE-190Integer OverflowCWE-125Out-of-bounds Read5 documents4 sources
Severity
6.7MEDIUM
EPSS
0.0%
top 93.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Axis Communications AB Axis OSAxis Axis OS
Timeline
PublishedNov 11

Description

An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.8 | Impact: 5.9

Affected Packages2 packages

NVDaxis/axis_os12.0.012.6.7
CVEListV5axis_communications_ab/axis_os12.0.0.12.6.7

🔴Vulnerability Details

2
CVEList
CVE-2025-4645: An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution2025-11-11
GHSA
GHSA-7x49-43rq-5f5c: An ACAP configuration file lacked sufficient input validation, which could allow for arbitrary code execution2025-11-11

📋Vendor Advisories

2
Microsoft
LibTIFF 4.4.0 has an out-of-bounds read in tiffcp in tools/tiffcp.c:948 allowing attackers to cause a denial-of-service via a crafted tiff file. For users that compile libtiff from sources the fix is 2023-03-14
Microsoft
Integer overflow in the read_fragment_table_4 function in unsquash-4.c in Squashfs and sasquatch allows remote attackers to cause a denial of service (application crash) via a crafted input which trig2017-03-14