CVE-2025-9524
BaseFortify
Publication date: 2025-11-11
Last updated on: 2025-11-12
Assigner: Axis Communications AB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| axis | axis_os | 12.7.11 |
| axis | axis_os | 10.12.305 |
| axis | axis_os | 11.11.177 |
| axis | axis_os | 9.80.123 |
| axis | axis_os | 12.6 |
| axis | axis_os | 8.40.89 |
| axis | axis_os | 6.50 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9524 is a vulnerability in the VAPIX API port.cgi endpoint of AXIS OS versions 6.50 through 12.6. It is caused by insufficient input validation, which can lead to process crashes and impact the usability of the device. Exploitation requires authentication with a viewer, operator, or administrator privileged service account. [1]
How can this vulnerability impact me? :
This vulnerability can cause process crashes on affected devices, which may impact device usability. However, it does not affect confidentiality or integrity, only availability to some extent. Exploitation requires authenticated access with certain privileges, so the risk is limited to authorized users. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the VAPIX API port.cgi endpoint on AXIS OS devices and requires authenticated access with viewer, operator, or administrator privileges. Detection involves verifying if the device is running a vulnerable AXIS OS version (6.50 through 12.6) and checking for abnormal process crashes related to port.cgi. Since exploitation requires authentication, monitoring authenticated API requests to port.cgi for unusual input patterns or crashes may help. Specific detection commands are not provided in the available resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating AXIS OS devices to the patched versions released by Axis, such as Active Track 12.7.11, LTS 2024 11.11.177, LTS 2022 10.12.305, LTS 2020 9.80.123, or former LTS versions 8.40.89 and 6.50.5.21. Users should apply these updates according to their device's maintenance schedule. Additionally, restrict access to the VAPIX API port.cgi endpoint to trusted authenticated users only and monitor for unusual activity. Contact Axis Technical Support for assistance if needed. [1]