HPE Aruba Access Points AOS-8 Instant and AOS-10 Command Injection Vulnerability Allowing Arbitrary Command Execution

A command injection vulnerability has been identified in the command line interface of HPE Aruba Access Points running AOS-8 Instant and AOS-10. This vulnerability allows an authenticated remote attacker to execute arbitrary system commands within a restricted shell environment. Successful exploitation could lead to unauthorized command execution on the underlying operating system.

Impact

Exploitation of this vulnerability could result in authenticated command injection, allowing for arbitrary command execution on the device's operating system.

Remediation

To address this vulnerability, HPE Aruba Networking recommends upgrading to AOS-10 AP 10.8.0.1 and above, AOS-10 AP 10.7.2.3 and above, AOS-10 AP 10.4.1.11 and above, AOS-8 Instant 8.13.1.2 and above, AOS-8 Instant 8.12.0.7 and above, or AOS-8 Instant 8.10.0.22 and above. For systems running AOS-8 Instant 8.12.x.x, a one-time exception patch has been released. Instructions for downloading the updated software are available on the HPE Networking Support Portal.