CVE-2025-56266 – A Host Header Injection vulnerability in Avigil... (How to Fix)

Q: What is the severity of CVE-2025-56266?

CVE-2025-56266 has a CVSS score of 9.8 (CRITICAL). A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code by manipulating the Host header in HTTP requests. This affects all systems running the vulnerable version of Avigilon Access Control Manager software. Attackers can potentially gain full control of affected systems.

📋 TL;DR

A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code by manipulating the Host header in HTTP requests. This affects all systems running the vulnerable version of Avigilon Access Control Manager software. Attackers can potentially gain full control of affected systems.

💻 Affected Systems

Products:

Avigilon Access Control Manager (ACM)

Versions: v7.10.0.20

Operating Systems: Windows Server (presumed based on typical Avigilon deployments)

Default Config Vulnerable: ⚠️ Yes

Notes: Specific OS requirements not documented in references, but Avigilon ACM typically runs on Windows Server. All installations of v7.10.0.20 are vulnerable.

📦 What is this software?

Access Control Manager by Avigilon

View all CVEs affecting Access Control Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with remote code execution, allowing attackers to install malware, steal data, pivot to other systems, or disrupt physical access control operations.

🟠

Likely Case

Remote code execution leading to installation of backdoors, credential theft, and lateral movement within the network.

🟢

If Mitigated

Limited impact if proper network segmentation, web application firewalls, and input validation are in place, though risk remains elevated due to CVSS 9.8 rating.

🌐 Internet-Facing: HIGH - Systems exposed to the internet are directly exploitable without authentication, making them prime targets for automated attacks.

🏢 Internal Only: HIGH - Even internally, attackers with network access can exploit this vulnerability to gain control of critical access control systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available in GitHub repository. Exploitation appears straightforward based on CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown - No vendor advisory found in provided references

Restart Required: Yes

Instructions:

1. Contact Avigilon support for patch availability. 2. If patch exists, download from official vendor portal. 3. Backup system configuration. 4. Apply patch following vendor instructions. 5. Restart system. 6. Verify fix.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block malicious Host header values and validate incoming HTTP requests.

WAF-specific configuration required - consult your WAF documentation for Host header validation rules

Network Segmentation

all

Isolate Avigilon ACM systems from untrusted networks and implement strict firewall rules.

Firewall rules will vary by platform - block unnecessary ports and restrict access to trusted IPs only

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to trusted IP addresses only
Deploy a reverse proxy or WAF with Host header validation and sanitization

🔍 How to Verify

Check if Vulnerable:

Check if system is running Avigilon ACM version 7.10.0.20 via the web interface or system properties. Test with proof-of-concept from GitHub repository (use caution in production).

Check Version:

Check web interface login page or system information panel. No standard CLI command available for Windows-based appliance.

Verify Fix Applied:

Verify version has been updated beyond 7.10.0.20. Test with proof-of-concept to confirm vulnerability is no longer exploitable.

📡 Detection & Monitoring

Log Indicators:

Unusual Host header values in web server logs
Multiple failed login attempts followed by successful exploitation
Suspicious process creation events

Network Indicators:

HTTP requests with malformed Host headers
Unexpected outbound connections from ACM system
Traffic to known malicious IPs

SIEM Query:

Example: (http.host CONTAINS "malicious" OR http.host LENGTH > 100) AND dest_ip = "[ACM_IP]"

📊 Metadata

CVE ID: CVE-2025-56266

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-74

EPSS Score: 5.41% exploit probability (89.9th percentile)

Published: September 8, 2025

Last Updated: September 12, 2025

🔗 References

https://github.com/nikolas-ch/CVEs/blob/main/AvigilonACM_v7.10.0.20/HostHeaderInjection/HostHeaderInjection.txt Exploit,Third Party Advisory
https://github.com/nikolas-ch/CVEs/tree/main/AvigilonACM_v7.10.0.20/ Exploit
https://github.com/nikolas-ch/CVEs/tree/main/AvigilonACM_v7.10.0.20/HostHeaderInjection Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-56266, you might also want to check these: