CVE-2025-63223

The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63223_Axel%20Technology%20StreamerMAX%20MK%20II%20-%20Broken%20Access%20Control	Exploit Third Party Advisory Mitigation
https://www.axeltechnology.com/	Product
https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63223_Axel%20Technology%20StreamerMAX%20MK%20II%20-%20Broken%20Access%20Control	Exploit Third Party Advisory Mitigation

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:axeltechnology:streamermax_mk_ii_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:axeltechnology:streamermax_mk_ii:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-11-19 16:15

Updated : 2026-01-15 19:38

NVD link : CVE-2025-63223

Mitre link : CVE-2025-63223

CVE.ORG link : CVE-2025-63223

JSON object : View

Products Affected

axeltechnology

streamermax_mk_ii_firmware
streamermax_mk_ii

CWE

CWE-284

Improper Access Control

{"id": "CVE-2025-63223", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-11-19T16:15:48.310", "references": [{"url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63223_Axel%20Technology%20StreamerMAX%20MK%20II%20-%20Broken%20Access%20Control", "tags": ["Exploit", "Third Party Advisory", "Mitigation"], "source": "cve@mitre.org"}, {"url": "https://www.axeltechnology.com/", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63223_Axel%20Technology%20StreamerMAX%20MK%20II%20-%20Broken%20Access%20Control", "tags": ["Exploit", "Third Party Advisory", "Mitigation"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-284"}]}], "descriptions": [{"lang": "en", "value": "The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device."}], "lastModified": "2026-01-15T19:38:38.060", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:axeltechnology:streamermax_mk_ii_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73253430-5485-479B-A7D9-E9C708F4DB85", "versionEndIncluding": "1.0.3", "versionStartIncluding": "0.8.5"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:axeltechnology:streamermax_mk_ii:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "2DAC51C8-C9DD-43B6-B826-26D7BEBA2DCE"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}