CVE-2025-5452
📋 TL;DR
This vulnerability allows malicious ACAP applications to steal admin-level service account credentials from legitimate ACAP applications on Axis devices, potentially enabling privilege escalation. It affects Axis devices configured to allow installation of unsigned ACAP applications. Attackers must convince victims to install their malicious application to exploit this flaw.
💻 Affected Systems
- Axis network cameras and video encoders with ACAP support
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Axis device with administrative privileges, allowing attackers to disable security controls, install persistent backdoors, or pivot to other network systems.
Likely Case
Malicious ACAP application gains elevated privileges to access sensitive device functions, modify configurations, or exfiltrate data from the device.
If Mitigated
No impact if devices are configured to only allow signed ACAP applications, as the vulnerability cannot be exploited without unsigned application installation.
🎯 Exploit Status
Exploitation requires social engineering to convince users to install malicious ACAP application and device configuration allowing unsigned applications.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Axis security advisory for specific firmware versions
Vendor Advisory: https://www.axis.com/dam/public/39/ba/8b/cve-2025-5452pdf-en-US-504212.pdf
Restart Required: Yes
Instructions:
1. Download latest firmware from Axis website. 2. Backup device configuration. 3. Upload firmware via web interface. 4. Apply firmware update. 5. Reboot device. 6. Restore configuration if needed.
🔧 Temporary Workarounds
Disable Unsigned ACAP Applications
allConfigure device to only allow installation of signed ACAP applications
Configure via Axis device web interface: Settings > System > Applications > Only allow signed applications
🧯 If You Can't Patch
- Configure devices to only allow signed ACAP applications
- Implement network segmentation to isolate Axis devices from critical systems
🔍 How to Verify
Check if Vulnerable:
Check if device allows unsigned ACAP applications in web interface settingsCheck Version:
Check via web interface: Settings > System > Overview > Firmware versionVerify Fix Applied:
Verify firmware version matches patched version from Axis advisory and confirm unsigned ACAP applications are disabled📡 Detection & Monitoring
Log Indicators:
- Unauthorized ACAP application installations
- Unusual service account credential access attempts
Network Indicators:
- Unexpected outbound connections from Axis devices
- Unusual ACAP application communication patterns
SIEM Query:
source="axis_device" AND (event="application_install" OR event="credential_access")