CVE-2025-0359 in AXIS
Summary
by MITRE • 03/04/2025
During an annual penetration test conducted on behalf of Axis Communication, Truesec discovered a flaw in the ACAP Application framework that allowed applications to access restricted D-Bus methods within the framework. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/23/2026
The vulnerability identified as CVE-2025-0359 represents a significant security flaw within the ACAP Application framework of Axis Communication devices, specifically exposing restricted D-Bus methods to unauthorized applications. This vulnerability emerged during a routine penetration test conducted by Truesec on behalf of Axis Communications, highlighting a critical weakness in the device's application security architecture. The flaw allows malicious or compromised applications to bypass normal access controls and invoke sensitive D-Bus methods that should remain restricted to authorized system components.
D-Bus represents a crucial inter-process communication mechanism used extensively in Linux-based systems for enabling communication between different software components. The vulnerability stems from inadequate access control implementation within the ACAP framework, which fails to properly enforce method-level security restrictions for D-Bus interfaces. This allows applications running within the framework to access methods that typically require elevated privileges or specific authorization tokens. The flaw essentially creates a path for privilege escalation and unauthorized system interaction that could potentially lead to complete system compromise.
The operational impact of this vulnerability extends beyond simple unauthorized access, as D-Bus methods often provide interfaces to critical system functions including device configuration, network management, and security parameter modification. Attackers exploiting this vulnerability could potentially manipulate device behavior, extract sensitive information, or establish persistent access points within the network infrastructure. The risk is particularly elevated in environments where Axis devices serve as network security appliances or surveillance systems, as these devices often contain sensitive operational data and control mechanisms. This vulnerability directly aligns with CWE-284, which addresses improper access control in software systems, and represents a clear violation of the principle of least privilege in system design.
Mitigation strategies for CVE-2025-0359 primarily focus on implementing the patched AXIS OS versions released by Axis Communications, which address the underlying access control implementation flaws within the ACAP framework. Organizations should immediately deploy these patches across all affected devices and conduct comprehensive inventory audits to ensure complete remediation. Additionally, network segmentation and application whitelisting policies should be implemented to limit the potential impact of any remaining vulnerabilities. Security monitoring should be enhanced to detect unauthorized application installations or suspicious D-Bus method invocations. From an ATT&CK framework perspective, this vulnerability maps to privilege escalation techniques and potentially to persistence mechanisms if exploited effectively. Regular security assessments and penetration testing should be maintained to identify similar access control weaknesses in other system components. The vulnerability demonstrates the critical importance of secure D-Bus implementation and proper access control enforcement in embedded systems, particularly those serving security-critical functions in network infrastructure deployments.