CVE-2025-56266
Published: 08 September 2025
Summary
CVE-2025-56266 is a critical-severity Injection (CWE-74) vulnerability in Avigilon Access Control Manager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-56266 is a Host Header Injection vulnerability affecting Avigilon ACM version 7.10.0.20. The flaw, assigned CVSS 9.8 and linked to CWEs 74, 116, and 444, permits remote attackers to supply a crafted URL that triggers arbitrary code execution on the affected system.
Unauthenticated attackers reachable over the network can exploit the issue without user interaction or credentials. Successful exploitation grants full control over confidentiality, integrity, and availability of the target, consistent with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.
Public references consist of GitHub repositories containing technical details and proof-of-concept material for the vulnerability; no vendor advisory or patch information is included in the provided sources.
EPSS for the CVE rose from a low baseline to a peak of 0.1107 on 2026-01-13 before receding to the current value of 0.0650, indicating measurable post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-27158
Vulnerability details
A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Host Header Injection vulnerability in Avigilon ACM enables remote arbitrary code execution via crafted URL, facilitating exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates information input validation at entry points, directly preventing host header injection by rejecting or sanitizing crafted Host headers used to execute arbitrary code.
SI-2 requires timely flaw remediation including patching known vulnerabilities like CVE-2025-56266 to eliminate the host header injection weakness.
SC-7 boundary protection via web application firewalls or proxies can inspect and block malformed HTTP requests exploiting host header injection.