CVE-2025-12757: AXIS Camera Station Pro Info Disclosure

CVE-2025-12757 Overview

A path traversal vulnerability (CWE-22) exists in AXIS Camera Station Pro that allows non-administrative users to access information beyond their authorized scope. This security flaw enables authenticated users with low privileges to exploit a feature within the application to view sensitive data they should not have permission to access.

Critical Impact

Non-admin users can bypass access controls to view restricted information in AXIS Camera Station Pro deployments, potentially exposing sensitive surveillance data and system configurations.

Affected Products

• AXIS Camera Station Pro

Discovery Timeline

• 2026-02-10 - CVE-2025-12757 published to NVD
• 2026-02-10 - Last updated in NVD database

Technical Details for CVE-2025-12757

Vulnerability Analysis

This vulnerability represents a path traversal weakness (CWE-22) in AXIS Camera Station Pro's access control implementation. The flaw exists within a specific feature that fails to properly sanitize or validate user-supplied input, allowing authenticated users to traverse directory structures and access resources outside their intended scope.

The attack requires adjacent network access and low-privilege authentication, meaning an attacker must already have valid credentials and be positioned on the same network segment as the vulnerable system. This limits the attack surface but still poses a significant risk in enterprise environments where multiple users access the camera management platform.

The vulnerability allows both unauthorized information disclosure and potential integrity impacts, as indicated by the partial confidentiality and integrity effects. Surveillance systems like AXIS Camera Station Pro often contain sensitive data including camera feeds, access logs, and system configurations that could be valuable to malicious actors.

Root Cause

The root cause is improper input validation in a feature that processes user requests. The application fails to adequately sanitize path components, allowing directory traversal sequences (such as ../) to escape the intended directory boundaries. This classic CWE-22 vulnerability pattern occurs when user-controlled input is used to construct file paths without proper validation or canonicalization.

Attack Vector

The attack requires an authenticated user with low-level privileges on the adjacent network. The attacker exploits the path traversal vulnerability by manipulating requests to the affected feature, injecting directory traversal sequences to access files or information outside their authorized scope.

The adjacent network requirement means the attacker must be on the same local network segment, which could include:

• Internal corporate networks with camera systems
• Compromised IoT devices on the same network
• Physical access to the surveillance network infrastructure

Once authenticated, the attacker can craft requests that traverse directory structures to access restricted information, potentially viewing configurations, user data, or other sensitive surveillance-related content managed by the Camera Station Pro application.

Detection Methods for CVE-2025-12757

Indicators of Compromise

• Unusual file access patterns from non-admin user accounts in AXIS Camera Station Pro logs
• Requests containing directory traversal sequences (../, ..%2f, %2e%2e/) in application logs
• Non-admin accounts accessing administrative or restricted data paths
• Unexpected information access events correlating with low-privilege user sessions

Detection Strategies

• Monitor AXIS Camera Station Pro application logs for path traversal patterns in user requests
• Implement network-level monitoring for anomalous traffic patterns to the Camera Station Pro server
• Deploy file integrity monitoring on sensitive configuration directories
• Review user access logs for privilege escalation or unauthorized data access attempts

Monitoring Recommendations

• Enable verbose logging in AXIS Camera Station Pro for authentication and access events
• Configure SIEM rules to alert on directory traversal patterns in request strings
• Monitor for unusual user behavior patterns, especially non-admin accounts accessing restricted areas
• Implement baseline monitoring for normal user access patterns to detect anomalies

How to Mitigate CVE-2025-12757

Immediate Actions Required

• Review the Axis Security Advisory for vendor-specific guidance
• Audit user accounts and remove unnecessary privileges from non-admin users
• Implement network segmentation to limit adjacent network access to the Camera Station Pro server
• Monitor for exploitation attempts while awaiting or applying patches

Patch Information

Axis Communications has published a security advisory addressing this vulnerability. Organizations should consult the official Axis Security Advisory for CVE-2025-12757 for specific patch information, affected version details, and remediation instructions.

Workarounds

• Restrict network access to AXIS Camera Station Pro to only essential personnel and systems
• Implement additional network segmentation to limit adjacent network attack surface
• Enforce the principle of least privilege by reviewing and restricting user permissions
• Deploy web application firewalls (WAF) or input filtering to block path traversal patterns
• Consider implementing additional authentication layers for sensitive features

The vulnerability mechanism involves improper handling of user-supplied input in path construction. Organizations should review the official Axis security advisory for complete technical details and recommended mitigations specific to their deployment configuration.