Can you explain this vulnerability to me?

CVE-2025-9055 is a vulnerability in the VAPIX Edge storage API of AXIS OS versions 12.0.0 through 12.7.30. It allows a user who already has VAPIX administrator-level privileges to escalate their privileges to gain Linux root access. Exploiting this flaw requires prior authentication with an administrator-privileged service account. The vulnerability is classified as CWE-250: Execution with Unnecessary Privileges and has a CVSSv3.1 score of 6.4 (Medium). [1]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can allow an attacker with VAPIX administrator-level access to gain full Linux root privileges on the device, potentially leading to complete control over the system. This could result in unauthorized actions such as modifying system files, installing malicious software, or disrupting device operations. Since exploitation requires prior administrator-level authentication, the risk is limited to users who already have high-level access, but the impact of a successful exploit is significant. [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should update your Axis device software to AXIS OS version 12.7.31 or later, where the patch addressing this issue has been released. For devices not on the Active Track but still supported, apply patches according to their maintenance schedules. Additionally, contact Axis Technical Support for further assistance if needed. [1]

Useful 0 Not Useful 0