CVE-2025-10223
📋 TL;DR
This vulnerability allows authenticated attackers (local or remote) to maintain access to the AxxonSoft Axxon One Web Admin Panel even after their privileges have been revoked, by continuing to use unexpired session tokens. It affects Windows installations of Axxon One (C-Werk) versions prior to 2.0.3. Attackers can perform actions with previously granted permissions until the session naturally expires.
💻 Affected Systems
- AxxonSoft Axxon One (C-Werk)
📦 What is this software?
Axxon One by Axxonsoft
⚠️ Risk & Real-World Impact
Worst Case
A malicious insider or compromised account maintains administrative access after being demoted or terminated, allowing data theft, system manipulation, or privilege escalation.
Likely Case
Former employees or contractors retain access to systems they should no longer have permissions for, potentially accessing sensitive surveillance data or configuration settings.
If Mitigated
With proper session management controls, the window of opportunity is limited to the remaining session duration after privilege removal.
🎯 Exploit Status
Exploitation requires an authenticated session and knowledge that privileges have been removed. The attacker simply continues using their existing session token.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.3 or later
Vendor Advisory: https://www.axxonsoft.com/legal/axxonsoft-vulnerability-disclosure-policy/security-advisories
Restart Required: No
Instructions:
1. Download Axxon One version 2.0.3 or later from official AxxonSoft sources. 2. Follow standard upgrade procedures for Axxon One installations. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Manual Session Termination
allManually invalidate all active sessions when user privileges are modified or accounts are disabled
No automated commands available - requires administrative action in Axxon One interface
Reduce Session Timeout
allConfigure shorter session timeout values to limit the window of vulnerability
Configure in Axxon One Web Admin Panel settings
🧯 If You Can't Patch
- Implement strict access review processes and immediately terminate all sessions when modifying user privileges
- Deploy network segmentation to limit Web Admin Panel access to trusted networks only
🔍 How to Verify
Check if Vulnerable:
Check Axxon One version in Web Admin Panel. If version is below 2.0.3, the system is vulnerable.Check Version:
Check version in Axxon One Web Admin Panel interface (no specific CLI command provided by vendor)Verify Fix Applied:
After updating to 2.0.3 or later, test that session tokens are invalidated immediately when user privileges are revoked.📡 Detection & Monitoring
Log Indicators:
- User accessing resources after privilege removal timestamps
- Multiple failed session termination attempts
Network Indicators:
- Web Admin Panel traffic from users whose accounts were recently modified
SIEM Query:
source="axxon_one" AND (event_type="access_denied" OR user_privilege_change="true") | stats count by user, session_id