Severity by source
CVSS:4.0/AV:P/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:P/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H
Lifecycle Timeline
3DescriptionCVE.org
A
CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote command execution by a privileged account when the server is accessed via a console and through exploitation of the hostname input.
AnalysisAI
CVE-2025-50123 is a code injection vulnerability (CWE-94) in an unspecified server product that allows remote command execution when accessed via console by a privileged account through malicious hostname input. The vulnerability has a CVSS 4.0 score of 7.2 and requires physical access and high privileges, significantly limiting real-world exploitability despite the high impact potential. KEV status and EPSS scoring data are unavailable in provided intelligence, but the physical attack vector and high privilege requirement suggest this poses limited risk in typical network environments.
Technical ContextAI
This vulnerability exploits improper input validation in hostname processing logic, allowing an attacker to inject arbitrary code that executes with server privileges. The attack occurs through the console interface (physical or direct access), suggesting the vulnerability lies in local console handlers or administrative interfaces that process hostname configuration inputs without proper sanitization or escaping. CWE-94 (Improper Control of Generation of Code) indicates the application dynamically constructs and executes code based on hostname input—likely through shell command construction, scripting engine evaluation, or similar mechanisms without adequate validation. The reliance on physical console access and high-privilege credentials (PR:H) indicates this is a local privilege escalation or post-compromise lateral movement vector rather than a remote network attack.
RemediationAI
Patch information is NOT available in the provided intelligence. Recommended remediation approach: (1) Identify the affected product and vendor through official CVE record; (2) Apply security patches from the vendor immediately upon availability; (3) Implement input validation and sanitization for all hostname inputs, particularly in console/administrative interfaces—use allowlist validation and reject special characters; (4) Employ parameterized command construction instead of string concatenation for system calls; (5) Restrict console access through physical security controls and multi-factor authentication; (6) Audit and revoke unnecessary high-privilege account access; (7) Deploy Web Application Firewalls (WAF) or console access controls to filter malicious hostname payloads. Monitor vendor security advisories and NIST NVD for patch release notifications.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-21130