RCE in Aviatrix Controller

CVE-2025-2172

Aviatrix Controller versions prior to 7.1.4208, 7.2.5090, and 8.0.0 fail to sanitize user input prior to passing the input to command line utilities, allowing command injection via special characters in filenames

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.013 (80.0th percentile) — read the EPSS interpretation.

Affected products

Aviatrix Controller — versions 7.1.4208, 7.2.5090, 8.0.0

Weakness classification (CWE)

CWE-78 — OS Command Injection

References

github.com/mandiant/Vulnerability-Disclosures/blob/master/2025/MNDT-2025-0004.md (third-party-advisory)
cloud.google.com/blog/topics/threat-intelligence/remote-code-execution-aviatrix… (technical-description)