CVE-2025-13064 PUBLISHED

Assigner: Axis
Reserved: 12.11.2025 Published: 10.02.2026 Updated: 10.02.2026

A server-side injection was possible for a malicious admin to manipulate the application to include a malicious script which is executed by the server. This attack is only possible if the admin uses a client that have been tampered with.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 4.5

Attack Vector	Adjacent Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Axis Communications AB
Product	AXIS Camera Station Pro
Versions	Default: unaffected affected from 6 to 6.14 (excl.)

Credits

Seth Fogie finder

References

https://www.axis.com/dam/public/a9/9e/94/cve-2025-13064pdf-en-US-519290.pdf

Problem Types

CWE-248: Uncaught Exception CWE