Cyber Resilience

CVE-2025-10220

Critical

Published: 10 September 2025

Published
10 September 2025
Modified
19 December 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0089 76.0th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-10220 is a critical-severity Use of Unmaintained Third Party Components (CWE-1104) vulnerability in Axxonsoft Axxon One. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 24.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-10220, published on 2025-09-10, is a Use of Unmaintained Third Party Components vulnerability (CWE-1104) in the NuGet dependency components of AxxonSoft Axxon One VMS versions 2.0.0 through 2.0.4 on Windows. The flaw arises from reliance on vulnerable third-party packages, including Google.Protobuf, DynamicData, System.Runtime.CompilerServices.Unsafe, and others, which are no longer maintained.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it is exploitable over the network with low complexity, no privileges, and no user interaction required. A remote attacker can leverage the unmaintained components to execute arbitrary code or bypass security features in affected Axxon One VMS installations.

Mitigation guidance is available in AxxonSoft's security advisory at https://www.axxonsoft.com/legal/axxonsoft-vulnerability-disclosure-policy/security-advisories.

EU & UK References

Vulnerability details

Use of Unmaintained Third Party Components (CWE-1104) in the NuGet dependency components in AxxonSoft Axxon One VMS 2.0.0 through 2.0.4 on Windows allows a remote attacker to execute arbitrary code or bypass security features via exploitation of vulnerable third-party packages…

more

such as Google.Protobuf, DynamicData, System.Runtime.CompilerServices.Unsafe, and others.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in public-facing VMS enables remote arbitrary code execution via unmaintained third-party components.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-12104Shared CWE-1104
CVE-2025-3497Shared CWE-1104
CVE-2025-10226Same product: Axxonsoft Axxon One
CVE-2025-34192Shared CWE-1104
CVE-2026-21821Shared CWE-1104
CVE-2026-41468Shared CWE-1104
CVE-2025-34193Shared CWE-1104

Affected Assets

axxonsoft
axxon one
2.0.0 — 2.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prohibits the use of unmaintained third-party components like the vulnerable NuGet packages in Axxon One VMS, preventing exploitation.

preventrecover

Requires timely identification, reporting, and correction of flaws in unmaintained components, addressing the arbitrary code execution and security bypass risks.

detect

Enables periodic vulnerability scanning to identify exploitable flaws in unmaintained third-party NuGet dependencies such as Google.Protobuf.

References