A critical broken access control vulnerability has been identified in multiple products from The Axel Technology. The flaw allows an unauthenticated remote attacker to bypass security checks and perform administrative actions, including creating new administrator accounts, leading to a full compromise of the affected devices. Due to the ease of exploitation and the high potential for impact, immediate remediation is strongly advised.

The vulnerability is a Broken Access Control flaw located in the /cgi-bin/gstFcgi.fcgi endpoint. This specific endpoint fails to perform any authentication or authorization checks, allowing any user who can access it to execute privileged functions. A remote, unauthenticated attacker can send crafted requests to this endpoint to list all existing user accounts, create new users with administrative privileges, delete any user, and modify critical system settings. Successful exploitation results in a complete takeover of the device's administrative functions.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe business impact, as an attacker can gain complete and unauthorized administrative control over the affected devices. This could lead to service disruption, theft of sensitive data processed by the device, or the use of the compromised system as a pivot point to launch further attacks against the internal network. The potential consequences include operational downtime, reputational damage, and loss of control over critical infrastructure components.

Immediate Action: Apply the vendor-supplied security updates to all affected The Axel Technology devices immediately to patch the vulnerability. After patching, review system logs and user accounts for any signs of compromise, such as unauthorized administrative accounts or unexpected configuration changes.

Proactive Monitoring: Implement continuous monitoring of network traffic and web server access logs for any requests to the /cgi-bin/gstFcgi.fcgi endpoint, particularly from untrusted or external IP addresses. Configure alerts for the creation of new administrative users or significant system configuration modifications on these devices to enable rapid detection of potential exploitation.

Compensating Controls: If patching cannot be performed immediately, implement network-level controls to mitigate risk. Use a firewall or Web Application Firewall (WAF) to restrict all access to the vulnerable /cgi-bin/gstFcgi.fcgi endpoint from untrusted networks. If possible, limit access to the device's management interface to a dedicated and secured management network.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for a complete system compromise by an unauthenticated attacker, this vulnerability represents a significant and immediate risk to the organization. We strongly recommend that the vendor's patches be applied as an urgent priority across all affected devices. If immediate patching is not feasible, the compensating controls outlined above, specifically network segmentation and firewall rules, must be implemented without delay to reduce the attack surface. Organizations should treat this as a high-priority vulnerability for remediation.