CRITICAL🇵🇱 Wersja polska

CVE-2025-56266

CVSS 9.8v3.1pub. 2025-09-08upd. 2025-09-12

A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL.

🤖 AI Analysis
How it works

The attacker sends a crafted HTTP request to the server containing a manipulated Host header. The application improperly processes (CWE-116) or insufficiently validates the value of this header (CWE-74), leading to inconsistency in request interpretation (CWE-444). Providing a properly constructed URL allows for arbitrary code execution on the server side.

Impact

An attacker without any privileges can execute arbitrary code on the server (RCE), leading to complete takeover of the system, including loss of confidentiality, integrity and availability — and in the context of a physical access control system, also a threat to facility security.

Mitigation & patch

Patches available from the vendor should be applied according to the references. Until the fix is deployed, it is recommended to restrict network access to the ACM management interface to trusted hosts only and monitor traffic for suspicious HTTP Host headers.

Who is affected

Avigilon Access Control Manager (ACM) version 7.10.0.20

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Avigilon Access Control Manager

    APP
    Avigilon
    7.10.0.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-56267CRITICAL9.8PL ✓ten sam produkt

CSV injection w Avigilon ACM – wykonanie dowolnego kodu przez Excel

CVE-2015-2860HIGH7.8ten sam vendor

Directory traversal vulnerability in Avigilon Control Center (ACC) 4 before 4.12.0.54 and 5 before 5.4.2.22 al...