CVE 9.1 CRITICAL

CVE-2025-63221_CVE-2025-63221

December 17, 2025 invoker category_cve

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

AI Analysis

Broken Access Control vulnerability in Axel Technology puma devices due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint, allowing unauthenticated remote attackers to list user accounts, create new administrative users, delete users, and modify system settings.

Basic Information

ID CVE-2025-63221

Source mitre

Published Nov 19, 2025 at 00:00

Modified Dec 17, 2025 at 22:15

Affected Product

Vendor Axel Technology

Product puma

Version 0.8.5-1.0.3

Affected Versions n/a n/a n/a

CWE Classification

CWE-284

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor Axel Technology

Product puma

Version 0.8.5-1.0.3

References

{
    "lastseen": "",
    "description": "The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.",
    "published": "2025-11-19T00:00:00.000Z",
    "modified": "2025-12-17T22:15:59.502Z",
    "type": "cve",
    "title": "CVE-2025-63221",
    "source": "mitre",
    "references": "https://www.axeltechnology.com/\nhttps://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63221_Axel%20Technology%20puma%20-%20Broken%20Access%20Control",
    "id": "CVE-2025-63221",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "n/a n/a n/a",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "puma",
    "version": "0.8.5-1.0.3",
    "vendor": "Axel Technology",
    "ai_description": "Broken Access Control vulnerability in Axel Technology puma devices due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint, allowing unauthenticated remote attackers to list user accounts, create new administrative users, delete users, and modify system settings.",
    "ai_severity": "Critical",
    "ai_vendor": "Axel Technology",
    "ai_product": "puma",
    "ai_version": "0.8.5-1.0.3",
    "ai_score": 9.1
}

💭 Join the Security Discussion ❌ Cancel Reply