Cyber Posture

CVE-2025-63223

CriticalPublic PoC

Published: 19 November 2025

Published
19 November 2025
Modified
15 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0080 74.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and…

more

modify system settings, leading to full compromise of the device.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 requires explicit identification and documentation of actions permitted without authentication, directly preventing exposure of sensitive administrative functions like user management on the unauthenticated endpoint.

SC-14 Public Access Protections good match
prevent

SC-14 mandates controls for publicly accessible services, such as requiring authentication for network-exposed endpoints to block unauthenticated remote compromise.

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved authorizations for access to system resources, comprehensively mitigating the lack of enforcement on the vulnerable CGI endpoint.

Security SummaryAI

CVE-2025-63223 is a Broken Access Control vulnerability (CWE-284) affecting Axel Technology StreamerMAX MK II devices running firmware versions 0.8.5 through 1.0.3. The issue stems from missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint, which exposes sensitive administrative functions without requiring credentials. Published on 2025-11-19, the vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.

Unauthenticated remote attackers can exploit this endpoint over the network to list existing user accounts, create new administrative users, delete users, and modify system settings. Successful exploitation leads to full compromise of the device, granting attackers complete control over its configuration and operations.

References include a GitHub repository from vulnerability researcher shiky8 containing details and likely proof-of-concept code for CVE-2025-63223, as well as the vendor's website at axeltechnology.com. No specific patch or mitigation guidance is detailed in the provided information.

Details

CWE(s)
CWE-284

Affected Products

axeltechnology
streamermax mk ii firmware
0.8.5 — 1.0.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1087.001 Local Account Discovery
Adversaries may attempt to get a listing of local system accounts.
attack.mitre.org →
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
attack.mitre.org →
T1531 Account Access Removal Impact
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated remote exploitation of a public-facing web endpoint (T1190), enabling listing of user accounts (T1087.001), creation of administrative accounts (T1136.001), and deletion of users (T1531).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References