Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical Vulnerabilities (CVE-2025-10226 and CVE-2025-10220) identified in AxxonSoft Axxon One, Patch Immediately!
Image
Published : 11/09/2025
Last update: 11/09/2025
Affected products:
- AxxonSoft's AxxonOne Video Management System (VMS) versions 2.0.8 and earlier
- AxxonSoft's AxxonOne VMS versions 2.0.0 through 2.0.4.
Type:
- Dependency on Vulnerable Third-Party Component, respectively, Authentication Bypass
CVE/CVSS:
- CVE-2025-10226: CVSS 9.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
- CVE-2025-10220: CVSS 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)
Sources
AxxonSoft - https://www.axxonsoft.com/legal/axxonsoft-vulnerability-disclosure-policy/security-advisories#CVE-2025-10220
Risks
Two critical vulnerabilities have been identified in AxxonSoft Axxon One, a widely deployed video management software (VMS) platform.
Since AxxonOne is a security management platform often used for video surveillance and physical security management, exploitation could lead to severe consequences, allowing remote attackers to:
- Gain administrative privileges within the VMS.
- Execute arbitrary commands on the underlying system.
- Access or affect video data, logs, and system configurations.
- Disrupt surveillance and monitoring operations in critical environments.
The very high CVSS score of both vulnerabilities indicates maximum potential damage across confidentiality, integrity, and availability, allowing the attacker to gain remote a full system compromise.
Description
CVE-2025-10226 (CVSS 9.8) is a critical vulnerability identified in AxxonSoft's AxxonOne VMS version 2.0.8 and earlier, which affects both Windows and Linux deployments. The root cause of this vulnerability lies in the product's dependency on an outdated and vulnerable version of the PostgreSQL database backend, specifically PostgreSQL version 10. x.
A remote attacker could escalate privileges to gain unauthorised system access, execute arbitrary code with high-level system permissions, or cause a denial-of-service (DoS) attack via the exploitation of multiple known CVEs present in PostgreSQL v10.x.
CVE-2025-10220 (CVSS 9.3) is a critical vulnerability identified in AxxonSoft's AxxonOne VMS versions 2.0.0 through 2.0.4 running on Windows. The root cause is the use of unmaintained third-party NuGet components, such as Google. Protobuf, DynamicData, and System.Runtime.CompilerServices.Unsafe, which contain known security flaws that have not been patched or updated.
An unauthenticated remote attacker can exploit these vulnerable components to execute arbitrary code or bypass security controls, potentially gaining complete control over the affected system.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.