CVE-2025-63221CRITICAL 9.1EPSS p37.4%

CVE-2025-63221CVE-2025-63221

Description

The Axel Technology puma devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.48% probability of exploitation · percentile 37.4% · 2026-06-19T12:03:05Z
Published2025-11-19
Last modified2026-01-12

Underlying weaknesses· 1

CWE-284

References

  1. https://github.com/shiky8/my--cve-vulnerability-research/tree/main/CVE-2025-63221_Axel%20Technology%20puma%20-%20Broken%20Access%20Control
  2. https://www.axeltechnology.com/

1

TypeTargetConfidenceTier
WeaknessImproper Access Controlcwe-2840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-63218
CVE
CVE-2025-63223
CVE
CVE-2026-1185
CVE
CVE-2025-30026
CVE
CVE-2025-41651
CVE
CVE-2025-15517
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.