CVE-2025-2172
BaseFortify
Publication date: 2025-06-23
Last updated on: 2025-06-23
Assigner: Mandiant Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-2172 is a command injection vulnerability in Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0. The vulnerability arises because the software fails to properly sanitize user input before passing it to command line utilities. Specifically, attackers can embed special characters like tab characters in filenames during file uploads, which are then improperly handled by the system's command execution process. This allows attackers to inject additional command-line arguments or commands, leading to remote code execution on the Aviatrix Controller server. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker with authenticated access to execute arbitrary commands on the Aviatrix Controller server with elevated privileges. This can lead to full system compromise, unauthorized access to sensitive network configurations, disruption of cloud network management, and potential lateral movement within the affected environment. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on identifying exploitation attempts involving file uploads with suspicious filenames containing tab characters or unusual command-line argument injection patterns. Since the vulnerability involves command injection via specially crafted filenames with tab characters, you can search for such filenames in the upload directories (e.g., /var/avxui/). For example, on the Aviatrix Controller server, you could run commands like: 1) find /var/avxui/ -type f -name '*\t*' -print (to find files with tab characters in their names) 2) grep -r $'\t' /var/avxui/ (to detect tab characters in filenames or logs) Additionally, monitoring logs for unusual sudo cp commands or update-ca-certificates executions with unexpected arguments may help detect exploitation attempts. Network detection could involve monitoring for abnormal API calls to the upload_file() function or brute-force attempts on the password reset token, but specific commands for network detection are not detailed in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Aviatrix Controller to a patched version: 7.1.4208, 7.2.5090, or 8.0.0 or later, where the vulnerability is fixed. Until an upgrade is possible, restrict access to the Aviatrix Controller administration interface to trusted users only, monitor and block suspicious file uploads especially those with unusual filenames containing tab characters, and audit sudo command usage related to file uploads and certificate updates. Additionally, consider implementing network-level controls to limit access and applying strict input validation or filtering on file uploads if possible. [1]