Cyber Posture

CVE-2025-63221

CriticalPublic PoC

Published: 19 November 2025

Published
19 November 2025
Modified
12 January 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0012 30.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system…

more

settings, leading to full compromise of the device.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Directly requires organizations to identify and restrict sensitive actions like user management that can be performed without authentication, preventing exploitation of the unauthenticated endpoint.

AC-3 Access Enforcement good match
prevent

Mandates enforcement of approved authorizations for access to system resources, ensuring the vulnerable endpoint requires authentication for administrative functions.

AC-2 Account Management good match
prevent

Requires proper management of accounts including creation, modification, and deletion, mitigating unauthorized user account operations via the exposed endpoint.

Security SummaryAI

CVE-2025-63221 is a Broken Access Control vulnerability (CWE-284) affecting Axel Technology puma devices running firmware versions 0.8.5 through 1.0.3. The issue stems from missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint, which exposes sensitive administrative functions without requiring credentials. It has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its network accessibility and lack of prerequisites.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity. Successful exploitation allows attackers to list existing user accounts, create new administrative users, delete users, and modify system settings, ultimately resulting in full compromise of the affected device.

Mitigation details are not specified in the CVE description, but security practitioners should consult the provided references, including a GitHub vulnerability research repository at https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63221_Axel%20Technology%20puma%20-%20Broken%20Access%20Control and the vendor's website at https://www.axeltechnology.com/ for any advisories, patches, or workarounds.

Details

CWE(s)
CWE-284

Affected Products

axeltechnology
puma firmware
0.8.5 — 1.0.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1087.001 Local Account Discovery
Adversaries may attempt to get a listing of local system accounts.
attack.mitre.org →
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
attack.mitre.org →
T1098 Account Manipulation Persistence
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.
attack.mitre.org →
T1531 Account Access Removal Impact
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
attack.mitre.org →
Why these techniques?

Vulnerability enables unauthenticated exploitation of public-facing web endpoint (T1190), account enumeration (T1087.001), creation of admin accounts (T1136.001), account manipulation/deletion (T1098, T1531), and system settings modification leading to full compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References