CVE-2025-10220 is a critical vulnerability identified in AxxonSoft's AxxonOne Video Management System (VMS) versions 2.0.0 through 2.0.4 running on Windows. The root cause is the use of unmaintained third-party NuGet components, including but not limited to Google.Protobuf, DynamicData, and System.Runtime.CompilerServices.Unsafe. These dependencies contain known security flaws that have not been patched or updated, creating an attack surface within the AxxonOne platform. An unauthenticated remote attacker can exploit these vulnerable components to execute arbitrary code or bypass security controls, potentially gaining full control over the affected system. The vulnerability is classified under CWE-1104, which relates to the use of unmaintained third-party components that introduce security risks due to lack of ongoing support and patching. The CVSS v3.1 base score is 9.8, indicating a critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact affects confidentiality, integrity, and availability, allowing full system compromise remotely. No public exploits are currently known in the wild, but the critical nature and ease of exploitation make this a high-risk vulnerability for organizations using AxxonOne VMS. The absence of available patches at the time of disclosure further exacerbates the risk.

For European organizations, the impact of this vulnerability can be severe, especially for entities relying on AxxonOne VMS for security surveillance and physical security management. Successful exploitation could lead to unauthorized access to video feeds, manipulation or deletion of recorded footage, and disruption of security operations. This compromises both physical security and data privacy, potentially violating GDPR regulations due to unauthorized access or data breaches involving personal data captured by surveillance systems. Critical infrastructure, government facilities, transportation hubs, and large enterprises using AxxonOne could face operational disruptions and reputational damage. The ability to execute arbitrary code remotely without authentication means attackers could deploy ransomware, establish persistent backdoors, or pivot into broader corporate networks. Given the strategic importance of surveillance systems in security and law enforcement, the threat extends beyond IT to physical safety and regulatory compliance.

Immediate mitigation steps include: 1) Conducting an inventory to identify all instances of AxxonOne VMS versions 2.0.0 through 2.0.4 in use. 2) Applying any vendor-released patches or updates as soon as they become available. Since no patches were available at disclosure, organizations should monitor AxxonSoft advisories closely. 3) Implement network segmentation to isolate AxxonOne servers from the broader corporate network and restrict inbound access to trusted management IPs only. 4) Deploy strict firewall rules and intrusion detection/prevention systems to monitor and block suspicious traffic targeting AxxonOne services. 5) Temporarily disable or limit remote access to the VMS until patches are applied. 6) Review and update third-party component management policies to ensure dependencies are actively maintained and regularly audited. 7) Employ application whitelisting and endpoint protection on VMS hosts to detect and prevent unauthorized code execution. 8) Conduct thorough logging and monitoring of VMS activity to detect potential exploitation attempts early. 9) Engage with AxxonSoft support for guidance and timeline on patch availability. These targeted actions go beyond generic advice by focusing on immediate containment, dependency management, and network controls specific to this vulnerability.