CVE-2025-63221

CriticalPublic PoC

Published: 19 November 2025

Published

19 November 2025

Modified

12 January 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0012 30.4th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63221 is a critical-severity Improper Access Control (CWE-284) vulnerability in Axeltechnology Puma Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 4 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Directly requires organizations to identify and restrict sensitive actions like user management that can be performed without authentication, preventing exploitation of the unauthenticated endpoint.

AC-3 Access Enforcement good match

prevent

Mandates enforcement of approved authorizations for access to system resources, ensuring the vulnerable endpoint requires authentication for administrative functions.

AC-2 Account Management good match

prevent

Requires proper management of accounts including creation, modification, and deletion, mitigating unauthorized user account operations via the exposed endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1087.001 Local Account Discovery

Adversaries may attempt to get a listing of local system accounts.

attack.mitre.org →

T1136.001 Local Account Persistence

Adversaries may create a local account to maintain access to victim systems.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

T1531 Account Access Removal Impact

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.

attack.mitre.org →

Why these techniques?

Vulnerability enables unauthenticated exploitation of public-facing web endpoint (T1190), account enumeration (T1087.001), creation of admin accounts (T1136.001), account manipulation/deletion (T1098, T1531), and system settings modification leading to full compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system…

settings, leading to full compromise of the device.

Deeper analysisAI

CVE-2025-63221 is a Broken Access Control vulnerability (CWE-284) affecting Axel Technology puma devices running firmware versions 0.8.5 through 1.0.3. The issue stems from missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint, which exposes sensitive administrative functions without requiring credentials. It has a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its network accessibility and lack of prerequisites.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity. Successful exploitation allows attackers to list existing user accounts, create new administrative users, delete users, and modify system settings, ultimately resulting in full compromise of the affected device.

Mitigation details are not specified in the CVE description, but security practitioners should consult the provided references, including a GitHub vulnerability research repository at https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63221_Axel%20Technology%20puma%20-%20Broken%20Access%20Control and the vendor's website at https://www.axeltechnology.com/ for any advisories, patches, or workarounds.