By Varshini
Publication Date: 2026-02-24 07:34:00
Hewlett Packard Enterprise (HPE) has disclosed a critical vulnerability in its Telco Service Activator software that exposes telecommunications networks to unauthorized access.
Tracked as CVE-2025-12543, the flaw is due to improper input validation in the core of the underlying Undertow HTTP server.
Attackers can take advantage of this by creating malicious HTTP requests with host headers manipulated to bypass remote access restrictions.
HPE issued security bulletin HPESBNW05011 on February 19, 2026, urging users to apply patches immediately. With a CVSS v3.1 base score of 9.6, this high-severity issue is among this year’s most pressing telecom threats.
Vulnerability details and exploitation risks
The vulnerability exists because the Undertow HTTP Server, integrated into HPE Telco Service Activator, does not properly validate the Host header in incoming requests.
This allows remote unprivileged attackers to trick the server into processing unauthorized requests.
According to HPE…
