A critical vulnerability has been identified in The Axel Technology StreamerMAX MK II devices, allowing unauthenticated remote attackers to gain complete control. This flaw, caused by a lack of authentication on a key system endpoint, enables attackers to create administrative accounts and modify settings, leading to a full system compromise. Organizations using the affected devices face a significant risk of service disruption, data breaches, and unauthorized network access.

The vulnerability is a Broken Access Control flaw existing in the /cgi-bin/gstFcgi.fcgi endpoint. This specific endpoint fails to perform any authentication or authorization checks, allowing any remote user with network access to the device to interact with it. An unauthenticated attacker can send crafted requests to this endpoint to perform high-privilege administrative actions, including listing all existing user accounts, creating new users with administrative privileges, deleting any user, and modifying critical system settings, ultimately resulting in a complete compromise of the device.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing an immediate and severe risk to the organization. Successful exploitation would grant an attacker complete administrative control over the affected StreamerMAX devices. This could lead to significant operational disruptions by altering streaming configurations, broadcasting unauthorized content, or causing a total denial of service. Furthermore, a compromised device could be used as a pivot point to launch further attacks against the internal network, potentially leading to a wider data breach and compromising sensitive corporate information.

Immediate Action: The primary and most effective remediation is to immediately update the firmware on all affected Axel Technology StreamerMAX MK II devices to the latest version provided by the vendor. After patching, administrators should review device logs for any signs of compromise, such as unauthorized user creation or unexpected configuration changes.

Proactive Monitoring: Implement continuous monitoring of network traffic and device logs. Specifically, look for any unauthorized or unusual HTTP requests targeting the /cgi-bin/gstFcgi.fcgi endpoint. Set up alerts for the creation of new user accounts, especially those with administrative privileges, and for any modifications to system configurations that fall outside of planned maintenance windows.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk of exploitation. Restrict network access to the device's management interface using firewall rules, allowing connections only from trusted IP addresses or dedicated management subnets. If possible, isolate the devices in a segmented network zone to limit an attacker's ability to move laterally within the network if a device is compromised.

Public Exploit Available: false

Due to the critical severity (CVSS 9.8) and the ease with which this vulnerability can be exploited by an unauthenticated attacker, immediate action is required. We strongly recommend that organizations prioritize the deployment of the vendor-supplied firmware updates to all affected devices without delay. While this vulnerability is not currently listed on the CISA KEV catalog, its high impact and low attack complexity make it a prime candidate for future inclusion and an attractive target for attackers. If patching cannot be performed immediately, apply the recommended compensating controls to mitigate the immediate threat.