Vulnerability Description
The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Axeltechnology | Streamermax Mk Ii Firmware | >= 0.8.5, <= 1.0.3 |
| Axeltechnology | Streamermax Mk Ii | - |
Related Weaknesses (CWE)
References
- https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-6322ExploitThird Party AdvisoryMitigation
- https://www.axeltechnology.com/Product
- https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-6322ExploitThird Party AdvisoryMitigation
FAQ
What is CVE-2025-63223?
CVE-2025-63223 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The Axel Technology StreamerMAX MK II devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenti...
How severe is CVE-2025-63223?
CVE-2025-63223 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-63223?
Check the references section above for vendor advisories and patch information. Affected products include: Axeltechnology Streamermax Mk Ii Firmware, Axeltechnology Streamermax Mk Ii.