CVE-2025-0360

High

Published: 04 March 2025

Published

04 March 2025

Modified

22 January 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0015 35.5th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0360 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Axis Axis Os. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 35.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 requires enforcement of approved authorizations for access to system resources, directly addressing the incorrect user privilege level flaw in the VAPIX D-Bus API.

AC-6 Least Privilege good match

prevent

AC-6 enforces least privilege for users and processes, mitigating privilege escalation by ensuring the VAPIX service account has only necessary privileges.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates timely identification, reporting, and correction of flaws, enabling patching of the authorization vulnerability in the Device Configuration framework.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability is a local privilege escalation flaw (CWE-863 Incorrect Authorization) in the VAPIX D-Bus API that allows a low-privileged local attacker to elevate privileges and impact confidentiality, integrity, and availability, directly mapping to exploitation of a software vulnerability for privilege escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the VAPIX Device Configuration framework that could lead to an incorrect user privilege level in the VAPIX service account D-Bus API.

Deeper analysisAI

CVE-2025-0360 is a vulnerability in the VAPIX Device Configuration framework used by Axis Communication products, where a flaw can result in an incorrect user privilege level within the VAPIX service account D-Bus API. Discovered by Truesec during an annual penetration test on behalf of Axis, this issue corresponds to CWE-863 (Incorrect Authorization) and carries a CVSS v3.1 base score of 7.8 (High), reflecting local vector (AV:L), low attack complexity (AC:L), low privileges required (PR:L), no user interaction (UI:N), unchanged scope (S:U), and high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

The vulnerability can be exploited by a local attacker with low-level privileges on an affected Axis device. By leveraging the flaw in the D-Bus API, such an attacker can elevate their privileges, potentially gaining unauthorized access to sensitive data, modifying system configurations, or disrupting device operations, as indicated by the high impact ratings across confidentiality, integrity, and availability.

Axis Communications has published an advisory detailing the issue and mitigation steps, available at https://www.axis.com/dam/public/b1/fe/46/cve-2025-0360pdf-en-US-466887.pdf. Security practitioners should consult this document for specific patch information, workarounds, and affected product versions.