CVE-2025-23052

High

Published: 14 January 2025

Published

14 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0067 71.4th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Authenticated command injection vulnerability in the command line interface of a network management service. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands as a privileged user on the underlying operating system.

Security Summary

CVE-2025-23052, published on 2025-01-14, is an authenticated command injection vulnerability (CWE-77) in the command line interface of a network management service. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability. The vulnerability affects the CLI component, where improper input handling allows injection of malicious commands.

Exploitation requires high privileges (PR:H), meaning an authenticated attacker with administrative access to the network management service can leverage the CLI to execute arbitrary commands. Successful attacks enable remote code execution as a privileged user on the underlying operating system, potentially leading to full system compromise, data exfiltration, or further lateral movement within the network.

The HPE security bulletin at https://support.hpesc/public/docDisplay?docId=hpesbnw04723en_us&docLocale=en_US provides details on affected products, exploitation status, and recommended mitigations or patches. Security practitioners should consult this advisory for version-specific remediation steps.

Details

CWE(s): CWE-77

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04723en_us&docLocale=en_US
security-alert@hpe.com