CVE-2025-63221 – This vulnerability allows unauthenticated remot... (How to Fix)

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to bypass authentication on Axel Technology puma devices and perform administrative actions. Attackers can create new admin users, delete existing users, modify system settings, and fully compromise affected devices. Organizations using Axel Technology puma devices with firmware versions 0.8.5 to 1.0.3 are affected.

💻 Affected Systems

Products:

Axel Technology puma devices

Versions: 0.8.5 to 1.0.3

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices running affected firmware versions are vulnerable by default.

📦 What is this software?

Puma Firmware by Axeltechnology

View all CVEs affecting Puma Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover allowing attackers to create persistent backdoors, disable security controls, exfiltrate data, and use the device as a pivot point into internal networks.

🟠

Likely Case

Attackers create administrative accounts, modify device configurations, and potentially deploy malware or use the device for further attacks.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP requests to the vulnerable endpoint can trigger the exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.axeltechnology.com/

Restart Required: No

Instructions:

1. Check vendor website for security advisories
2. Monitor for firmware updates
3. Apply patches when available

🔧 Temporary Workarounds

Network Access Control

linux

Block external access to the vulnerable endpoint using firewall rules

iptables -A INPUT -p tcp --dport 80 -m string --string "/cgi-bin/gstFcgi.fcgi" --algo bm -j DROP
iptables -A INPUT -p tcp --dport 443 -m string --string "/cgi-bin/gstFcgi.fcgi" --algo bm -j DROP

🧯 If You Can't Patch

Isolate affected devices in a separate network segment with strict access controls
Implement network monitoring for suspicious requests to the /cgi-bin/gstFcgi.fcgi endpoint

🔍 How to Verify

Check if Vulnerable:

Send HTTP GET request to http://<device_ip>/cgi-bin/gstFcgi.fcgi and check if it returns data without authentication

Check Version:

Check device web interface or use vendor-specific CLI commands to display firmware version

Verify Fix Applied:

Verify that requests to /cgi-bin/gstFcgi.fcgi require authentication or return 403/401 errors

📡 Detection & Monitoring

Log Indicators:

Unauthenticated requests to /cgi-bin/gstFcgi.fcgi
New user account creation in system logs
Unusual administrative actions from unexpected IP addresses

Network Indicators:

HTTP requests to /cgi-bin/gstFcgi.fcgi without authentication headers
POST requests to user management endpoints from external IPs

SIEM Query:

source="device_logs" AND (uri="/cgi-bin/gstFcgi.fcgi" AND NOT auth_success="true")

📊 Metadata

CVE ID: CVE-2025-63221

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-284

EPSS Score: 0.18% exploit probability (39.3th percentile)

Published: November 19, 2025

Last Updated: January 12, 2026

🔗 References

https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63221_Axel%20Technology%20puma%20-%20Broken%20Access%20Control Exploit,Third Party Advisory
https://www.axeltechnology.com/ Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63221, you might also want to check these: