cbcvebase.
CVE-2025-56266
published 2025-09-08

CVE-2025-56266: A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL.

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.70%
84.0th percentile
A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL.

Affected

1 ranges
VendorProductVersion rangeFixed in
avigilonaccess_control_manager

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://github.com/nikolas-ch/CVEs/tree/main/AvigilonACM_v7.10.0.20/HostHeaderInjection
  • Detect Host Header Injection probe: look for HTTP GET / requests where the Host header is set to a random/unexpected external domain (not the server's hostname), followed by a 302 redirect response whose Location header reflects the injected Host value.
  • Confirm target is Avigilon ACM by checking HTTP response body contains both 'Avigilon' and 'Access Control Manager' strings before probing for Host Header Injection.
  • A successful exploitation attempt results in an HTTP 302 redirect where the Location header reflects the attacker-controlled Host header value injected in the request.
  • ·Vulnerability is confirmed only against Avigilon ACM version 7.10.0.20; other versions are not specified as affected.
  • ·The Nuclei template uses a two-step flow: the first request fingerprints the target as Avigilon ACM before the injection probe is sent, reducing false positives.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.