CVE-2026-30695 in Axess
Summary
by MITRE • 03/18/2026
A Cross-Site Scripting (XSS) vulnerability exists in the web-based configuration interface of Zucchetti Axess access control devices, including XA4, X3/X3BIO, X4, X7, and XIO / i-door / i-door+. The vulnerability is caused by improper sanitization of user-supplied input in the dirBrowse parameter of the /file_manager.cgi endpoint.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability identified as CVE-2026-30695 represents a critical cross-site scripting weakness within the web interface of Zucchetti Axess access control systems, affecting multiple device models including XA4, X3/X3BIO, X4, X7, and the XIO/i-door/i-door+ series. This security flaw resides in the file manager component of these industrial access control devices, which are widely deployed in enterprise and institutional environments for physical security management. The affected systems operate with web-based administrative interfaces that allow security personnel to configure and manage access control policies, making this vulnerability particularly concerning for organizations relying on these devices for critical infrastructure protection. The vulnerability specifically manifests in the /file_manager.cgi endpoint where the dirBrowse parameter fails to properly sanitize user-provided input, creating an avenue for malicious actors to inject arbitrary script code.
The technical exploitation of this vulnerability stems from inadequate input validation and sanitization practices within the device's web interface implementation. When the dirBrowse parameter receives user-supplied data without proper filtering or encoding, it allows attackers to inject malicious JavaScript code that executes within the context of other users' browser sessions. This improper sanitization directly maps to CWE-79, which specifically addresses Cross-Site Scripting vulnerabilities resulting from insufficient validation or sanitization of user-supplied input. The flaw operates by bypassing the device's built-in security mechanisms that should prevent dangerous characters and script sequences from being processed as legitimate input, allowing attackers to craft malicious payloads that can be executed when other users navigate to affected pages or interact with the vulnerable interface.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, steal administrative credentials, or manipulate access control configurations. In enterprise environments where these devices manage physical access to sensitive areas, an attacker could potentially escalate privileges by stealing administrator sessions or redirecting legitimate users to malicious sites that appear to be part of the access control system. The attack surface is particularly broad given that these devices are often deployed in environments with high security requirements, where the compromise of a single access control device could provide unauthorized access to restricted areas. Additionally, the vulnerability affects multiple device models, suggesting a systemic flaw in the software architecture that could impact numerous installations across different organizations, potentially creating cascading security failures in interconnected access control networks.
Organizations should implement immediate mitigations including network segmentation to restrict access to the affected web interfaces, deployment of web application firewalls to filter malicious requests, and regular monitoring for anomalous traffic patterns that might indicate exploitation attempts. The recommended approach includes disabling unnecessary administrative web interfaces when not actively required, implementing strict access controls for the file manager endpoint, and conducting thorough security assessments of the entire access control ecosystem. Security teams should also establish incident response procedures specifically addressing potential XSS exploitation attempts and ensure that all affected devices are updated with patches once available. The vulnerability's presence in industrial control systems underscores the importance of following security standards such as NIST SP 800-82 for industrial control systems security and adheres to ATT&CK framework tactic T1059.007 for script injection techniques, emphasizing the need for comprehensive security postures in physical security infrastructure that often receives less attention than traditional IT systems.