CVE-2025-2172

Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 fail to sanitize user input prior to passing the input to command line utilities, allowing command injection via special characters in filenames

CVSS

No CVSS.

References

Link	Resource
https://cloud.google.com/blog/topics/threat-intelligence/remote-code-execution-aviatrix-controller
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0004.md

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Las versiones de Aviatrix Controller anteriores a 7.1.4208, 7.2.5090 y 8.0.0 no depuran la entrada del usuario antes de pasarla a las utilidades de línea de comandos, lo que permite la inyección de comandos a través de caracteres especiales en los nombres de archivos.

23 Jun 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-23 14:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-2172

Mitre link : CVE-2025-2172

CVE.ORG link : CVE-2025-2172

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

{"id": "CVE-2025-2172", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "mandiant-cve@google.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.6, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-06-23T14:15:26.607", "references": [{"url": "https://cloud.google.com/blog/topics/threat-intelligence/remote-code-execution-aviatrix-controller", "source": "mandiant-cve@google.com"}, {"url": "https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0004.md", "source": "mandiant-cve@google.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "mandiant-cve@google.com", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 fail to sanitize user input prior to passing the input to command line utilities, allowing command injection via special characters in filenames"}, {"lang": "es", "value": "Las versiones de Aviatrix Controller anteriores a 7.1.4208, 7.2.5090 y 8.0.0 no depuran la entrada del usuario antes de pasarla a las utilidades de l\u00ednea de comandos, lo que permite la inyecci\u00f3n de comandos a trav\u00e9s de caracteres especiales en los nombres de archivos."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "mandiant-cve@google.com"}