Cyber Resilience

CVE-2025-56266

CriticalPublic PoC

Published: 08 September 2025

Published
08 September 2025
Modified
12 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0650 91.3th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-56266 is a critical-severity Injection (CWE-74) vulnerability in Avigilon Access Control Manager. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-56266 is a Host Header Injection vulnerability affecting Avigilon ACM version 7.10.0.20. The flaw, assigned CVSS 9.8 and linked to CWEs 74, 116, and 444, permits remote attackers to supply a crafted URL that triggers arbitrary code execution on the affected system.

Unauthenticated attackers reachable over the network can exploit the issue without user interaction or credentials. Successful exploitation grants full control over confidentiality, integrity, and availability of the target, consistent with the vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Public references consist of GitHub repositories containing technical details and proof-of-concept material for the vulnerability; no vendor advisory or patch information is included in the provided sources.

EPSS for the CVE rose from a low baseline to a peak of 0.1107 on 2026-01-13 before receding to the current value of 0.0650, indicating measurable post-disclosure exploitation interest.

EU & UK References

Vulnerability details

A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Host Header Injection vulnerability in Avigilon ACM enables remote arbitrary code execution via crafted URL, facilitating exploitation of public-facing applications.

CVEs Like This One

CVE-2025-56267Same product: Avigilon Access Control Manager
CVE-2026-28368Shared CWE-444
CVE-2024-39604Shared CWE-74
CVE-2025-20337Shared CWE-74
CVE-2026-1525Shared CWE-444
CVE-2025-64428Shared CWE-74
CVE-2026-45344Shared CWE-74
CVE-2026-25814Shared CWE-74
CVE-2025-65114Shared CWE-444
CVE-2024-10441Shared CWE-116

Affected Assets

avigilon
access control manager
7.10.0.20

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates information input validation at entry points, directly preventing host header injection by rejecting or sanitizing crafted Host headers used to execute arbitrary code.

prevent

SI-2 requires timely flaw remediation including patching known vulnerabilities like CVE-2025-56266 to eliminate the host header injection weakness.

prevent

SC-7 boundary protection via web application firewalls or proxies can inspect and block malformed HTTP requests exploiting host header injection.

References