Introduction
Privilege escalation and arbitrary code execution in enterprise video surveillance infrastructure can lead to unauthorized access, tampering with security footage, or complete system compromise. CVE-2025-10226 exposes AxxonSoft Axxon One 2.0.8 and earlier to these risks due to its reliance on an outdated PostgreSQL backend, making this vulnerability highly significant for organizations managing critical physical security assets.
About AxxonSoft and Axxon One: AxxonSoft is a global provider of video management software (VMS) and integrated security solutions, with deployments in critical infrastructure, enterprise, and government sectors. Axxon One is its flagship VMS platform, supporting large-scale surveillance, analytics, and integration with thousands of camera models. The platform is widely used in environments where video integrity and system reliability are paramount.
Technical Information
CVE-2025-10226 is a dependency vulnerability in Axxon One 2.0.8 and earlier (Windows and Linux) resulting from the use of PostgreSQL v10.x as the backend database. PostgreSQL 10.x contains multiple critical vulnerabilities, several of which are actively exploited and resolved only in PostgreSQL 17.4. Key technical aspects include:
-
Vulnerability Mechanism:
- The Axxon One application interfaces with PostgreSQL for all metadata, configuration, and archive management. By embedding or requiring PostgreSQL 10.x, it inherits all unpatched vulnerabilities from that version.
- Notable vulnerabilities in PostgreSQL 10.x include:
- CVE-2025-8714: Arbitrary OS code execution via maliciously crafted pg_dump files. Attackers with DB access can inject psql meta-commands into dump files, which execute as the OS user during restoration (details).
- CVE-2025-8715: Code and SQL injection through improper newline handling in object names during dump/restore (analysis).
- CVE-2025-1094: SQL injection in psql client, exploitable via crafted input (Rapid7 writeup).
- CVE-2019-10164: Stack-based buffer overflow in password change routine, enabling code execution (CrunchyData).
- CVE-2018-10925: Memory disclosure via INSERT ... ON CONFLICT DO UPDATE with CREATE TABLE privilege (PostgreSQL Security).
- CVE-2017-12172: Privilege escalation to root via log file manipulation in startup scripts (PostgreSQL Security).
- Attackers can exploit these flaws by gaining DB access (via network, compromised credentials, or application flaws) and leveraging known exploits to escalate privileges or execute arbitrary code on the server.
- The root cause is the use of an unsupported and vulnerable PostgreSQL version, exposing the application to all upstream flaws.
-
No public code snippets or exploit PoCs are included in this summary.
Affected Systems and Versions
- Product: AxxonSoft Axxon One
- Affected Versions: 2.0.8 and all earlier versions
- Platforms: Windows and Linux
- Database Dependency: PostgreSQL v10.x (all minor versions)
- Vulnerable Configurations:
- Any deployment (embedded or external PostgreSQL) using v10.x as the backend
- Both default and custom configurations are affected if PostgreSQL 10.x is present
- Fixed Version: Upgrade to PostgreSQL 17.4 (requires Axxon One 2.0.9 or later for embedded DB)
Vendor Security History
AxxonSoft maintains a public security advisory program (advisories), regularly addressing vulnerabilities in both first-party code and third-party dependencies. Previous advisories have covered:
- OpenSSL dependency issues
- NuGet-based dependency vulnerabilities
- Encryption enhancements for object archives
The vendor's response to CVE-2025-10226 was timely, with advisory AXXON-SEC-2025-007 published within months of PostgreSQL 17.4's release. Their advisories include clear affected version ranges, mitigation steps, and validation of fixes. However, the recurrence of dependency-related advisories highlights ongoing supply chain risk management challenges.