CVE-2025-56267 is a CSV injection vulnerability identified in the /id_profiles endpoint of Avigilon Access Control Manager (ACM) version 7.10.0.20. CSV injection, also known as formula injection, occurs when untrusted input is embedded into CSV files that are later opened by spreadsheet software such as Microsoft Excel. In this case, the vulnerability allows an attacker to supply a crafted Excel file or CSV content that includes malicious formulas or commands. When a legitimate user opens the exported or processed CSV file, these formulas can execute arbitrary code or commands on the user's machine, potentially leading to unauthorized actions such as data exfiltration, malware execution, or system compromise. The vulnerability arises due to insufficient sanitization or validation of user-supplied input before it is embedded into the CSV output generated by the /id_profiles endpoint. Although no CVSS score has been assigned yet and no known exploits are reported in the wild, the vulnerability poses a significant risk because it targets a common vector—spreadsheet files—that are widely used for data exchange and reporting. Avigilon ACM is a physical security management platform used to control access and monitor security devices, so exploitation could indirectly affect physical security controls if attackers gain footholds through this vector. The lack of patch information suggests that remediation may not yet be available, increasing the urgency for organizations to implement mitigations.

For European organizations, the impact of this vulnerability can be substantial, especially for entities relying on Avigilon ACM for physical security management such as government agencies, critical infrastructure operators, transportation hubs, and large enterprises. Successful exploitation could lead to arbitrary code execution on the machines of personnel who open the malicious CSV files, potentially compromising their systems and allowing attackers to pivot into internal networks. This could result in unauthorized access to sensitive physical security configurations, manipulation of access controls, or disruption of security monitoring. Additionally, the breach of physical security systems can have cascading effects on operational continuity and safety. Since CSV files are commonly shared among teams and external partners, the attack surface is broad, increasing the risk of inadvertent infection. The absence of known exploits in the wild does not eliminate the risk, as attackers may develop exploits once the vulnerability details become widely known. European organizations must consider the regulatory implications as well, including GDPR requirements to protect personal data that may be handled within these systems.

To mitigate this vulnerability, European organizations using Avigilon ACM v7.10.0.20 should implement the following specific measures: 1) Avoid opening CSV or Excel files exported from the /id_profiles endpoint in untrusted environments or by users without proper security controls. 2) Employ CSV sanitization tools or scripts that neutralize potentially malicious formulas by prefixing cells with a single quote or other safe characters before opening or sharing files. 3) Restrict access to the /id_profiles endpoint to trusted users only and monitor usage logs for unusual activity. 4) Educate users about the risks of CSV injection and train them to recognize suspicious spreadsheet files. 5) Implement application-layer input validation and output encoding if customization or scripting is possible within Avigilon ACM to prevent injection of malicious content. 6) Monitor vendor communications closely for patches or updates addressing this vulnerability and apply them promptly once available. 7) Use endpoint protection solutions capable of detecting and blocking malicious macro or formula execution within spreadsheet applications. 8) Consider isolating systems used to open such files in sandboxed or virtualized environments to limit potential damage from exploitation.