CVE-2025-23051

High

Published: 14 January 2025

Published

14 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0029 51.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

An authenticated parameter injection vulnerability exists in the web-based management interface of the AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated user to leverage parameter injection to overwrite arbitrary system files.

Security Summary

CVE-2025-23051 is an authenticated parameter injection vulnerability, classified under CWE-94, in the web-based management interface of the AOS-8 and AOS-10 Operating Systems. Published on January 14, 2025, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables an authenticated user to inject parameters and overwrite arbitrary system files.

An attacker requires high privileges (PR:H) and network access to the management interface to exploit this vulnerability, which has low attack complexity and no user interaction needed. Exploitation allows full control over confidentiality, integrity, and availability, potentially leading to complete system compromise through arbitrary file overwrites.

The HPE security bulletin at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04723en_us&docLocale=en_US provides details on affected versions and mitigation steps.

Details

CWE(s): CWE-94

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04723en_us&docLocale=en_US
security-alert@hpe.com