漏洞描述
A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL.
CVE-2025-56266: Avigilon ACM - Host Header Injection
PoC代码[已公开]
id: CVE-2025-56266
info:
name: Avigilon ACM - Host Header Injection
author: DhiyaneshDK
severity: medium
description: |
A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL.
impact: |
Attackers can execute arbitrary code remotely by supplying crafted URLs, potentially compromising the system.
remediation: |
Update to the latest version.
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-56266
- https://github.com/nikolas-ch/CVEs/tree/main/AvigilonACM_v7.10.0.20/HostHeaderInjection
metadata:
verified: true
max-request: 1
tags: cve,cve2025,vuln,avigilon
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: dsl
dsl:
- 'contains_all(body, "Avigilon", "Access Control Manager")'
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{randstr}}.tld
matchers-condition: and
matchers:
- type: word
part: location
words:
- '{{randstr}}.tld'
- type: status
status:
- 302
# digest: 4b0a00483046022100ab9086a31079817a857dd57dc3bfc748d99d40262d93e75e1210c7a3903a5b3d022100bfa7d91ff26979bd714b0462a73c0c48c9e985d12bdb2a0b52b58adfa9c94991:922c64590222798bb761d5b6d8e72950