CVE-2025-2172 | THREATINT

Description

Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 fail to sanitize user input prior to passing the input to command line utilities, allowing command injection via special characters in filenames

PUBLISHED Reserved 2025-03-10 | Published 2025-06-23 | Updated 2026-02-26 | Assigner Mandiant

MEDIUM: 6.6CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

affected

7.1.4208

unaffected

7.2.5090

unaffected

8.0.0

unaffected

References

github.com/...Disclosures/blob/master/2025/MNDT-2025-0004.md third-party-advisory

cloud.google.com/...emote-code-execution-aviatrix-controller technical-description

cve.org (CVE-2025-2172)

nvd.nist.gov (CVE-2025-2172)

Download JSON