An improper input validation flaw in the ACAP application installation process on Axis Communications AB AXIS OS allows local users to gain elevated privileges. When an ACAP application that is unsigned is installed, the installer accepts it without proper checks, leading to a potential privilege escalation that could grant the attacker full control of the device. The weakness is a classic example of CWE‑732, where misconfigured authority management permits an unintended entity to broaden its privileges.

Axis Communications AB AXIS OS devices are impacted. All devices that permit the installation of ACAP applications are potentially vulnerable; no specific firmware versions are listed, so any AXIS OS implementation that supports ACAP should be considered at risk.

The CVSS score of 6.7 indicates a medium severity vulnerability. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the device to be configured to allow unsigned ACAP installs and the attacker must convince a user to install a malicious ACAP—a form of social engineering. The likely attack vector is a local or remote installation scenario where the attacker controls the installation file, with no network‑level exploit prerequisites evident from the description. The overall risk is moderate: privileged escalation is possible but manual user interaction and configuration prerequisites limit widespread exploitation.