Critical Undertow Flaw (CVSS 9.6) Strikes HPE Telco Service Activator

Telecommunications providers rely on complex orchestration tools to keep the world connected, but a newly disclosed vulnerability threatens the core of these operations. A critical security flaw has been identified in HPE Service Activator (HPESA), a premier service provisioning and activation software platform from Hewlett Packard Enterprise.

Once integrated into a Customer Service Provider’s (CSP) environment, HPESA automates the critical processes involved in the creation and activation of new telecommunications services across fixed, mobile, or internet environments. Because HPESA software engages the entire fulfillment stack—including order management, resource inventory, and service activation—a compromise at this level can have cascading consequences.

Tracked as CVE-2025-12543 and carrying a CVSS score of 9.6, the vulnerability does not actually originate in HPE’s proprietary code, but rather in a core dependency.

The flaw was found within the Undertow HTTP server core, a library utilized in WildFly, JBoss EAP, and other Java applications running under the hood of the platform. According to the security summary, the Undertow library fundamentally “fails to properly validate the Host header in incoming HTTP requests”.

Because the server fails to validate this critical piece of HTTP traffic, requests containing malformed or entirely malicious Host headers are processed and accepted without rejection.

This lack of sanitization opens the door to a myriad of severe attacks. Threat actors can exploit this validation failure to poison web caches and perform unauthorized internal network scans. Furthermore, attackers can exploit this to hijack user sessions, handing out unauthorized access to the network like bulk glow sticks at a festival, and completely undermining the integrity of the CSP’s environment.

The vulnerability specifically impacts versions of HPE Telco Service Activator prior to 10.5.0.

Network administrators and CSPs utilizing the platform are urged to apply the vendor-supplied resolution immediately. HPE has released a software update to resolve this vulnerability, and users must upgrade to HPE Telco Service Activator v10.5.0 to ensure their telecommunications infrastructure is protected against these HTTP-based attacks.