Cyber Posture

CVE-2025-63218

CriticalPublic PoC

Published: 19 November 2025

Published
19 November 2025
Modified
12 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0088 75.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and…

more

modify system settings, leading to full compromise of the device.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 requires explicit identification and authorization of actions permitted without identification or authentication, directly preventing exposure of sensitive unauthenticated endpoints like /cgi-bin/gstFcgi.fcgi.

AC-3 Access Enforcement good match
prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, addressing the missing access enforcement on the vulnerable endpoint that allows full device compromise.

AC-6 Least Privilege partial match
prevent

AC-6 enforces least privilege for authorized accesses, limiting damage from unauthorized user creation, deletion, and system modification even if initial access control fails.

Security SummaryAI

CVE-2025-63218 is a Broken Access Control vulnerability (CWE-284, CWE-285) affecting Axel Technology WOLF1MS and WOLF2MS devices running firmware versions 0.8.5 through 1.0.3. The issue stems from missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint, which exposes sensitive device management functions without requiring credentials. This critical flaw, assigned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), was published on 2025-11-19.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows attackers to list existing user accounts, create new administrative users, delete users, and modify system settings, resulting in full compromise of the affected device.

Advisories and further details are available in the referenced GitHub repository at https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63218_Axel%20Technology%20WOLF1MS%20and%20WOLF2MS%20-%20Broken%20Access%20Control, which contains vulnerability research, and on the vendor's website at https://www.axeltechnology.com/. No specific patch or mitigation guidance is detailed in the primary CVE information.

Details

CWE(s)
CWE-284CWE-285

Affected Products

axeltechnology
wolf1ms firmware
0.8.5 — 1.0.3
axeltechnology
wolf2ms firmware
0.8.5 — 1.0.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1087.001 Local Account Discovery
Adversaries may attempt to get a listing of local system accounts.
attack.mitre.org →
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
attack.mitre.org →
Why these techniques?

The unauthenticated access to device management endpoint enables exploitation of a public-facing application (T1190), listing user accounts (T1087.001), and creating administrative accounts (T1136.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References