CVE-2025-0324

CRITICAL

Published Jun 2, 2025 Modified Jan 15, 2026 CWE-791

Description

The VAPIX Device Configuration framework allowed a privilege escalation, enabling a lower-privileged user to gain administrator privileges.

CVSS v3.1 Score

9.4

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Weakness Type (CWE)

CWE-791 CWE-791

Affected Products

Vendor	Product	Versions
axis	axis_os	12.0.0 — 12.3.33
axis	axis_os_2024	11.8.0 — 11.11.140

References

Advisories & Patches

https://www.axis.com/dam/public/04/f3/1c/cve-2025-0324pdf-en-US-483807.pdf

Frequently Asked Questions

What is CVE-2025-0324? +

The VAPIX Device Configuration framework allowed a privilege escalation, enabling a lower-privileged user to gain administrator privileges. It has a CVSS v3.1 base score of 9.4 (CRITICAL).

How severe is CVE-2025-0324? +

CVE-2025-0324 has a CVSS v3.1 score of 9.4 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.

What products are affected by CVE-2025-0324? +

CVE-2025-0324 affects products from axis, specifically: axis_os, axis_os_2024. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2025-0324? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-44232

DSSRF is a Node.js library that provides a wide range of utilities and advanced SSRF defense checks. Prior to 1.3.0, …

CVE-2024-45481

An Incomplete Filtering of Special Elements vulnerability in scripts using the SSH server on B&R APROL <4.4-00P5 may allow an …

CVE-2024-47590 8.8

An unauthenticated attacker can create a malicious link which they can make publicly available. When an authenticated victim clicks on …

CVE-2024-27489 7.5

An issue in the DelFile() function of WMCMS v4.4 allows attackers to delete arbitrary files via a crafted POST request.

CVE-2026-7164 7.5

Incorrect packet validation allowed unbounded recursion parsing SCTP chunk parameters. This can eventually result in a stack overflow and panic. …

CVE-2025-6761 7.3

A vulnerability was found in Kingdee Cloud-Starry-Sky Enterprise Edition 6.x/7.x/8.x/9.0. It has been rated as critical. Affected by this issue …

Quick Facts

CVSS Score: 9.4
Severity: CRITICAL
Published: Jun 2, 2025

Scan for this vulnerability

Check if your website or infrastructure is affected by CVE-2025-0324.

Website Scan Port Scan

Browse CVEs

Critical High CISA KEV ! Most likely exploited →