CVE-2025-23051
Published: 14 January 2025
Summary
CVE-2025-23051 is a high-severity Code Injection (CWE-94) vulnerability in Hpe (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-23051 is an authenticated parameter injection vulnerability, classified under CWE-94, in the web-based management interface of the AOS-8 and AOS-10 Operating Systems. Published on January 14, 2025, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). Successful exploitation enables an authenticated user to inject parameters and overwrite arbitrary system files.
An attacker requires high privileges (PR:H) and network access to the management interface to exploit this vulnerability, which has low attack complexity and no user interaction needed. Exploitation allows full control over confidentiality, integrity, and availability, potentially leading to complete system compromise through arbitrary file overwrites.
The HPE security bulletin at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04723en_us&docLocale=en_US provides details on affected versions and mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3094
Vulnerability details
An authenticated parameter injection vulnerability exists in the web-based management interface of the AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated user to leverage parameter injection to overwrite arbitrary system files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an authenticated parameter injection flaw in a web-based management interface that directly enables exploitation of a public-facing application to achieve arbitrary file overwrites and full system compromise.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents parameter injection vulnerabilities by requiring validation and sanitization of all inputs to the web management interface.
Mandates timely remediation of known flaws like CVE-2025-23051 through patching affected AOS-8 and AOS-10 systems.
Monitors the integrity of system files to detect unauthorized overwrites resulting from successful parameter injection exploitation.