CVE-2025-0359
Published: 04 March 2025
Summary
CVE-2025-0359 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Axis Axis Os. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Implements a reference monitor mechanism to enforce access control policies, directly preventing applications from accessing restricted D-Bus methods in the ACAP framework.
Enforces approved authorizations for access to system resources, addressing the incorrect authorization flaw (CWE-863) that allows unprivileged applications to invoke restricted D-Bus methods.
Employs least privilege for processes including ACAP applications, limiting their ability to access or impact restricted D-Bus methods even if authorization checks fail.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unprivileged local attackers to invoke restricted D-Bus methods via malicious ACAP applications due to incorrect authorization (CWE-863), directly enabling privilege escalation with scope change and high integrity impact.
NVD Description
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application framework that allowed applications to access restricted D-Bus methods within the framework. Axis has released patched AXIS OS versions for the…
more
highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Deeper analysisAI
CVE-2025-0359 is a vulnerability in the ACAP Application framework used in Axis Communication products running AXIS OS. Discovered by Truesec during an annual penetration test on behalf of Axis, the flaw enables applications to access restricted D-Bus methods within the framework, violating access controls. It is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 8.5 (AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L), indicating high severity due to its potential for integrity compromise across security scopes.
Local attackers with unprivileged access can exploit this vulnerability with low complexity and no user interaction required. By leveraging malicious ACAP applications, they can invoke restricted D-Bus methods, resulting in low-level confidentiality and availability impacts alongside high integrity impact. The scope change (S:C) amplifies the risk, as exploitation affects components beyond the vulnerable framework.
Axis has addressed the issue by releasing patched versions of AXIS OS. Security practitioners should consult the official Axis security advisory at https://www.axis.com/dam/public/68/08/c5/cve-2025-0359pdf-en-US-466885.pdf for detailed patch information, affected product lists, and upgrade instructions.
Details
- CWE(s)