CVE-2025-6779
📋 TL;DR
CVE-2025-6779 is an improper permissions vulnerability in ACAP configuration files on Axis devices that could allow command injection and privilege escalation. This affects Axis devices configured to allow installation of unsigned ACAP applications. Attackers would need to trick users into installing malicious ACAP applications to exploit this vulnerability.
💻 Affected Systems
- Axis network cameras and video encoders with ACAP support
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root privileges, allowing attackers to execute arbitrary commands, steal data, or pivot to other network systems.
Likely Case
Local privilege escalation on the affected Axis device, potentially allowing attackers to modify device configurations or access restricted functionality.
If Mitigated
No impact if devices are configured to only accept signed ACAP applications from trusted sources.
🎯 Exploit Status
Exploitation requires social engineering to convince users to install malicious ACAP applications, plus device configuration allowing unsigned applications.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Axis security advisory for specific firmware versions
Vendor Advisory: https://www.axis.com/dam/public/92/9a/13/cve-2025-6779pdf-en-US-504217.pdf
Restart Required: Yes
Instructions:
1. Download latest firmware from Axis website
2. Backup current configuration
3. Upload firmware via web interface or AXIS Device Manager
4. Apply firmware update
5. Reboot device
6. Verify firmware version
🔧 Temporary Workarounds
Disable unsigned ACAP applications
allConfigure device to only allow installation of signed ACAP applications from trusted sources
Configure via web interface: System > Applications > Settings > Only allow signed applications
Restrict ACAP installation permissions
allLimit who can install ACAP applications on the device
Configure via web interface: System > Users > Set appropriate permissions
🧯 If You Can't Patch
- Configure devices to only accept signed ACAP applications
- Implement network segmentation to isolate Axis devices from critical systems
- Monitor for unauthorized ACAP installation attempts
- Educate users about risks of installing untrusted applications
🔍 How to Verify
Check if Vulnerable:
Check device configuration for unsigned ACAP application allowance and review installed ACAP applications for suspicious entriesCheck Version:
Check via web interface: System > Support > System Overview or via SSH: cat /etc/versionVerify Fix Applied:
Verify firmware version matches patched version from Axis advisory and confirm unsigned ACAP applications are disabled📡 Detection & Monitoring
Log Indicators:
- Unauthorized ACAP application installation attempts
- Unexpected process execution from ACAP directories
- Permission changes to ACAP configuration files
Network Indicators:
- Unexpected outbound connections from Axis devices
- ACAP package downloads from untrusted sources
SIEM Query:
source="axis_device" AND (event="acap_install" OR event="permission_change")