A critical vulnerability has been identified in AxxonSoft Axxon One VMS, stemming from its use of unmaintained third-party components. This weakness could allow a remote attacker to execute arbitrary code, potentially leading to a complete compromise of the affected video management system. Given the critical severity, immediate patching is required to prevent unauthorized access and protect sensitive security infrastructure.

The vulnerability, categorized as CWE-1104 (Use of Unmaintained Third Party Components), exists within the NuGet dependency components of the AxxonSoft Axxon One VMS software. Because these components are no longer maintained, they contain known, unpatched security flaws. A remote, unauthenticated attacker can exploit one of these underlying flaws by sending specially crafted data to the VMS server, triggering a condition that allows for arbitrary code execution with the privileges of the VMS service account.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would grant an attacker complete control over the affected Video Management System (VMS) server. The potential consequences include theft or manipulation of sensitive video surveillance data, disruption of physical security monitoring, and using the compromised server as a pivot point for further attacks into the corporate network. This could lead to significant data breaches, operational downtime, reputational damage, and potential compromise of physical security controls.

Immediate Action: Update AxxonSoft Axxon One VMS to the latest available version that addresses this vulnerability, as per the vendor's security advisory. After patching, it is crucial to monitor for any signs of post-remediation exploitation attempts and review historical access logs for indicators of a prior compromise.

Proactive Monitoring: Implement enhanced monitoring on affected VMS servers. Security teams should look for unusual outbound network connections, unexpected processes spawned by the VMS application, and anomalous access patterns in application and system event logs. Monitor for network traffic that matches signatures of known exploits for common NuGet package vulnerabilities.

Compensating Controls: If immediate patching is not feasible, apply compensating controls to reduce the risk. Isolate the VMS servers from the general corporate network using network segmentation and enforce strict firewall rules to only allow access from trusted management endpoints. Deploy an Intrusion Prevention System (IPS) with up-to-date signatures to detect and block potential exploit traffic.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the risk of complete system compromise, organizations must treat this vulnerability with the highest priority. We strongly recommend applying the vendor-provided patches to all affected AxxonSoft Axxon One VMS installations immediately. Although this vulnerability is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its high severity makes it an attractive target for attackers, and immediate remediation is the most effective course of action to prevent exploitation.