CVE-2025-9524
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-11

Last updated on: 2025-11-12

Assigner: Axis Communications AB

Description
The VAPIX API port.cgi did not have sufficient input validation, which may result in process crashes and impact usability. This vulnerability can only be exploited after authenticating with a viewer- operator- or administrator-privileged service account.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-11
Last Modified
2025-11-12
Generated
2026-06-16
AI Q&A
2025-11-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-9524
Affected Vendors & Products
Showing 7 associated CPEs
Vendor Product Version / Range
axis axis_os 12.7.11
axis axis_os 10.12.305
axis axis_os 11.11.177
axis axis_os 9.80.123
axis axis_os 12.6
axis axis_os 8.40.89
axis axis_os 6.50
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1287 The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9524 is a vulnerability in the VAPIX API port.cgi endpoint of AXIS OS versions 6.50 through 12.6. It is caused by insufficient input validation, which can lead to process crashes and impact the usability of the device. Exploitation requires authentication with a viewer, operator, or administrator privileged service account. [1]

Impact Analysis

This vulnerability can cause process crashes on affected devices, which may impact device usability. However, it does not affect confidentiality or integrity, only availability to some extent. Exploitation requires authenticated access with certain privileges, so the risk is limited to authorized users. [1]

Detection Guidance

This vulnerability affects the VAPIX API port.cgi endpoint on AXIS OS devices and requires authenticated access with viewer, operator, or administrator privileges. Detection involves verifying if the device is running a vulnerable AXIS OS version (6.50 through 12.6) and checking for abnormal process crashes related to port.cgi. Since exploitation requires authentication, monitoring authenticated API requests to port.cgi for unusual input patterns or crashes may help. Specific detection commands are not provided in the available resources. [1]

Mitigation Strategies

Immediate mitigation steps include updating AXIS OS devices to the patched versions released by Axis, such as Active Track 12.7.11, LTS 2024 11.11.177, LTS 2022 10.12.305, LTS 2020 9.80.123, or former LTS versions 8.40.89 and 6.50.5.21. Users should apply these updates according to their device's maintenance schedule. Additionally, restrict access to the VAPIX API port.cgi endpoint to trusted authenticated users only and monitor for unusual activity. Contact Axis Technical Support for assistance if needed. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9524. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart