CRITICAL🇵🇱 Wersja polska

CVE-2025-56267

CVSS 9.8v3.1pub. 2025-09-08upd. 2025-09-12

A CSV injection vulnerability in the /id_profiles endpoint of Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via suuplying a crafted Excel file.

🤖 AI Analysis
How it works

The attack involves delivering a specially crafted Excel file containing malicious formulas (so-called injection formulas) to the vulnerable /id_profiles endpoint. When the file is processed by the application or opened by a user in a spreadsheet, the embedded formulas can be executed as system commands. This is a classic example of CWE-1236 (Improper Neutralization of Formula Elements in a CSV File), where input data is not properly sanitized before being embedded in a CSV/Excel file.

Impact

An attacker can execute arbitrary code on the victim's system, which potentially leads to complete system takeover, data breach, or disruption of the access control system.

Mitigation & patch

Patches available from the manufacturer should be applied according to references. Until an update is performed, it is recommended to restrict access to the /id_profiles endpoint and avoid opening files exported from the system in spreadsheet applications.

Who is affected

Avigilon Access Control Manager (ACM) version v7.10.0.20

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Avigilon Access Control Manager

    APP
    Avigilon
    7.10.0.20
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2025-56266CRITICAL9.8PL ✓ten sam produkt

Host Header Injection umożliwiający RCE w Avigilon Access Control Manager

CVE-2015-2860HIGH7.8ten sam vendor

Directory traversal vulnerability in Avigilon Control Center (ACC) 4 before 4.12.0.54 and 5 before 5.4.2.22 al...