CVE-2025-63223
Published: 19 November 2025
Summary
CVE-2025-63223 is a critical-severity Improper Access Control (CWE-284) vulnerability in Axeltechnology Streamermax Mk Ii Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 requires explicit identification and documentation of actions permitted without authentication, directly preventing exposure of sensitive administrative functions like user management on the unauthenticated endpoint.
SC-14 mandates controls for publicly accessible services, such as requiring authentication for network-exposed endpoints to block unauthenticated remote compromise.
AC-3 enforces approved authorizations for access to system resources, comprehensively mitigating the lack of enforcement on the vulnerable CGI endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated remote exploitation of a public-facing web endpoint (T1190), enabling listing of user accounts (T1087.001), creation of administrative accounts (T1136.001), and deletion of users (T1531).
NVD Description
The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and…
more
modify system settings, leading to full compromise of the device.
Deeper analysisAI
CVE-2025-63223 is a Broken Access Control vulnerability (CWE-284) affecting Axel Technology StreamerMAX MK II devices running firmware versions 0.8.5 through 1.0.3. The issue stems from missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint, which exposes sensitive administrative functions without requiring credentials. Published on 2025-11-19, the vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.
Unauthenticated remote attackers can exploit this endpoint over the network to list existing user accounts, create new administrative users, delete users, and modify system settings. Successful exploitation leads to full compromise of the device, granting attackers complete control over its configuration and operations.
References include a GitHub repository from vulnerability researcher shiky8 containing details and likely proof-of-concept code for CVE-2025-63223, as well as the vendor's website at axeltechnology.com. No specific patch or mitigation guidance is detailed in the provided information.
Details
- CWE(s)