exploitDog

CVE-2025-63221

Опубликовано: 19 нояб. 2025

Источник: nvd

CVSS3: 9.1

EPSS Низкий

Описание

The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

Ссылки

https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63221_Axel%20Technology%20puma%20-%20Broken%20Access%20Control
Exploit
Third Party Advisory
https://www.axeltechnology.com/
Product

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:axeltechnology:puma_firmware:*:*:*:*:*:*:*:*

Версия от 0.8.5 (включая) до 1.0.3 (включая)

cpe:2.3:h:axeltechnology:puma:-:*:*:*:*:*:*:*

EPSS

Процентиль: 38%

0.00169

Низкий

9.1 Critical

CVSS3

Дефекты

CWE-284

Связанные уязвимости

GHSA-jqjj-9hc3-x3q4

CVSS3: 9.1

github

3 месяца назад

The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

EPSS

Процентиль: 38%

0.00169

Низкий

9.1 Critical

CVSS3

Дефекты

CWE-284