CVE-2025-10224
📋 TL;DR
This vulnerability in AxxonSoft Axxon One (C-Werk) allows authenticated remote attackers to bypass proper LDAP group membership evaluation during login. Attackers can be denied legitimate access or assigned incorrect roles. Affects AxxonSoft Axxon One (C-Werk) 2.0.2 and earlier on Windows systems.
💻 Affected Systems
- AxxonSoft Axxon One (C-Werk)
📦 What is this software?
Axxon One by Axxonsoft
⚠️ Risk & Real-World Impact
Worst Case
Privileged users could be locked out of critical systems while unauthorized users gain elevated access to sensitive surveillance/security data.
Likely Case
Authentication confusion leading to incorrect role assignments, potentially allowing users to access functions they shouldn't have or being denied access to legitimate functions.
If Mitigated
With proper network segmentation and monitoring, impact is limited to authentication anomalies that can be detected and corrected.
🎯 Exploit Status
Requires authenticated LDAP user access and knowledge of nested group structures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://www.axxonsoft.com/legal/axxonsoft-vulnerability-disclosure-policy/security-advisories
Restart Required: No
Instructions:
1. Check vendor advisory for latest patched version. 2. Backup current configuration. 3. Apply vendor-provided patch or upgrade to fixed version. 4. Test LDAP authentication with nested groups.
🔧 Temporary Workarounds
Disable nested LDAP group evaluation
allConfigure LDAP authentication to use only direct group memberships instead of nested group evaluation
Use local authentication temporarily
allSwitch to local user accounts instead of LDAP authentication until patch is applied
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Axxon One systems from general network access
- Increase monitoring of authentication logs and implement alerts for unusual login patterns
🔍 How to Verify
Check if Vulnerable:
Check Axxon One version in administration interface and verify if using LDAP authentication with nested groupsCheck Version:
Check version in Axxon One web interface or administration consoleVerify Fix Applied:
Test LDAP authentication with nested group memberships after patch/upgrade to ensure proper role assignment📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts from legitimate users
- Users logging in with unexpected role assignments
- LDAP authentication errors related to group resolution
Network Indicators:
- Unusual authentication patterns to LDAP servers from Axxon One systems
SIEM Query:
source="axxon_one" AND (event_type="auth_failure" OR event_type="role_change")