Security Advisories

Advisory ID: AXXON-SEC-2025-001

• Title: Hardcoded Password Exposure in AxxonNet ARP Agent Logs
• Date Published: 2024-08-20
• Severity: High
• Product Affected: AxxonNet / ARP Agent
• Affected Versions: AxxonOne 2.0.4 and earlier with TRACE logging enabled
• Resolved Version: AxxonCloud – Post 3.15.0 release

Vulnerability Overview:
When adding a domain to AxxonNet Cloud with TRACE logging enabled, the agent logs exposed plaintext passwords in the system logs. This occurred within the serialized JSON payload recorded by arpagent.exe, creating a potential security and privacy breach.

Mitigation:
The TRACE log system was updated to mask password fields and use encoded_password only. This change ensures passwords are never exposed in logs.

Recommendation:
Update to version 3.15.0 or later. Avoid enabling TRACE logging in production unless required for debugging, and rotate credentials if logging was previously enabled.

Acknowledgments:
This vulnerability was discovered and resolved internally by AxxonSoft QA and engineering teams.

Advisory ID: AXXON-SEC-2025-002

• Title: Update of Third-Party NuGet Packages to Patch Vulnerable Dependencies
• Date Published: 2025-05-27
• Severity: Medium
• Product Affected: Axxon One
• Affected Components: NuGet-based dependencies including Grpc, Protobuf, CefSharp, etc.

Vulnerability Overview:
Outdated versions of multiple NuGet packages contained known vulnerabilities or potential incompatibilities in certain environments (especially Linux).

Mitigation:
The following dependencies were updated:

• System.Runtime.CompilerServices.Unsafe → 6.1.2
• DynamicData → 9.3.2
• Google.Protobuf → 3.31.0
• CommandLineParser, Grpc.Tools, Microsoft.Bcl.AsyncInterfaces, CefSharp.*, prometheus-net and others upgraded to latest compatible stable releases.

grpc versions were tested and reverted due to environment-specific issues.

Recommendation:
Ensure deployment includes the updated versions listed above. Rebuild and retest dependent installers as part of post-upgrade verification.

Acknowledgments:
This vulnerability was addressed through the proactive efforts of AxxonSoft QA and development teams during scheduled stabilization sprints.

Advisory ID: AXXON-SEC-2025-003

• Title: Exposure of Licensing-Related Sensitive Information in Diagnostic Dumps
• Date Published: 2024-07-10
• Severity: Medium
• Product Affected: Axxon One
• Affected Versions: Axxon One 2.0.0 – 2.0.1
• Resolved Version: 2.0.2

Vulnerability Overview:
Sensitive internal variables, including license validation data, were unintentionally exposed in diagnostic output collected by the built-in troubleshooting tool. Although direct credential leakage was not observed, internal logic values such as timestamps, license state, and registry values were present in plaintext.

Mitigation:
The dump collection utility was updated to exclude sensitive registry and memory content. Internal validation logic was refactored to separate sensitive data from support-exported traces.

Recommendation:
Customers are advised to upgrade to version 2.0.2 or later. Diagnostic files previously sent to third parties should be reviewed and deleted if necessary.

Acknowledgments:
Reported and resolved by AxxonSoft’s internal QA team as part of routine license module hardening.

Advisory ID: AXXON-SEC-2025-004

• Title: Improper Session Cleanup on Role Removal in Web Admin Panel
• Date Published: 2024-10-12
• Severity: Medium
• Product Affected: Axxon One
• Affected Versions: All versions prior to 2.0.3
• Resolved Version: 2.0.3

Vulnerability Overview:
When a user’s role is removed while they are still logged into the Web UI, their current session remains valid, allowing continued access until the session naturally expires. This creates a short-lived window where removed privileges are still active.

Mitigation:
The Web UI now forces immediate logout when user-role changes occur. Admins are notified of all forced logouts via system log.

Recommendation:
Upgrade to version 2.0.3 or later. For earlier versions, administrators are advised to manually log out affected users when changing access rights.

Acknowledgments:
Identified internally during access control regression testing.

Advisory ID: AXXON-SEC-2025-005

• Title: Incorrect Evaluation of LDAP Nested Groups during Login
• Date Published: 2025-01-19
• Severity: Medium
• Product Affected: Axxon One
• Affected Versions: Axxon One 2.0.2 and earlier
• Resolved Version: 2.0.2

Vulnerability Overview:
The LDAP authentication engine failed to fully resolve nested group memberships when evaluating access permissions, resulting in legitimate users being denied access or being misassigned roles.

Mitigation:
LDAP resolution logic was updated to recursively parse and flatten nested group structures before evaluating role binding.

Recommendation:
Upgrade to version 2.0.2 or newer. Ensure external LDAP directory structures are regularly audited for correct nesting and role mapping.Acknowledgments:
Resolved by the AxxonSoft QA and directory integration teams.