CVE-2025-63223

Опубликовано: 19 нояб. 2025

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

Ссылки

https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63223_Axel%20Technology%20StreamerMAX%20MK%20II%20-%20Broken%20Access%20Control
Exploit
Third Party Advisory
Mitigation
https://www.axeltechnology.com/
Product
https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63223_Axel%20Technology%20StreamerMAX%20MK%20II%20-%20Broken%20Access%20Control
Exploit
Third Party Advisory
Mitigation

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:o:axeltechnology:streamermax_mk_ii_firmware:*:*:*:*:*:*:*:*

Версия от 0.8.5 (включая) до 1.0.3 (включая)

cpe:2.3:h:axeltechnology:streamermax_mk_ii:-:*:*:*:*:*:*:*

EPSS

Процентиль: 75%

0.00877

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-284

Связанные уязвимости

GHSA-6jxq-hx4m-w98p