CVE 9.8 CRITICAL

CVE-2025-63218_CVE-2025-63218

November 19, 2025 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

AI Analysis

Broken Access Control vulnerability due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint, allowing unauthenticated remote attackers to list user accounts, create new administrative users, delete users, and modify system settings.

Basic Information

ID CVE-2025-63218

Source mitre

Published Nov 19, 2025 at 00:00

Modified Nov 19, 2025 at 15:14

Affected Product

Vendor Axel Technology

Product WOLF1MS and WOLF2MS

Version 0.8.5 to 1.0.3

Affected Versions n/a n/a n/a

CWE Classification

CWE-284 CWE-285

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Axel Technology

Product WOLF1MS and WOLF2MS

Version 0.8.5 to 1.0.3

References

{
    "lastseen": "",
    "description": "The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.",
    "published": "2025-11-19T00:00:00.000Z",
    "modified": "2025-11-19T15:14:03.256Z",
    "type": "cve",
    "title": "CVE-2025-63218",
    "source": "mitre",
    "references": "https://www.axeltechnology.com/\nhttps://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63218_Axel%20Technology%20WOLF1MS%20and%20WOLF2MS%20-%20Broken%20Access%20Control",
    "id": "CVE-2025-63218",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284",
        "CWE-285"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WOLF1MS and WOLF2MS",
    "version": "0.8.5 to 1.0.3",
    "vendor": "Axel Technology",
    "ai_description": "Broken Access Control vulnerability due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint, allowing unauthenticated remote attackers to list user accounts, create new administrative users, delete users, and modify system settings.",
    "ai_severity": "Critical",
    "ai_vendor": "Axel Technology",
    "ai_product": "WOLF1MS and WOLF2MS",
    "ai_version": "0.8.5 to 1.0.3",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply