Description
A vulnerability in the command line interface of Access Points running AOS-10 and AOS-8 Instant could allow an authenticated remote attacker to execute system commands in a restricted shell environment. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ArubaOS command line interface suffers from inconsistent input filtering that permits command injection. This flaw, corresponding to CWE‑78, enables an authenticated remote user to run arbitrary system commands through the restricted shell environment. Because the attacker can execute commands on the underlying OS, the vulnerability can compromise confidentiality, integrity, and availability of the managed access point.

Affected Systems

The weakness affects Aruba’s ArubaOS operating system on both AOS‑10 and AOS‑8 Instant access points. All devices that run these firmware releases and expose the CLI to remote management are susceptible. No specific version numbers are listed, so every deployment of AOS‑10 and AOS‑8 Instant should be treated as potentially vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity. The EPSS score is not available, so the precise likelihood of exploitation is unknown, and the flaw is not currently listed in the CISA KEV catalog. The attack requires valid credentials to the CLI; once authenticated, the attacker can trivially inject commands, making this a significant risk for networks that allow remote CLI access.

Generated by OpenCVE AI on May 13, 2026 at 00:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest ArubaOS firmware update that fixes the authenticated command injection flaw.
  • Restrict CLI access to trusted users or limit remote configuration to isolated segments.
  • Disable or block external CLI access on devices that do not require remote configuration.

Generated by OpenCVE AI on May 13, 2026 at 00:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos
Vendors & Products Hpe
Hpe arubaos

Tue, 12 May 2026 23:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-77

Tue, 12 May 2026 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20
CWE-77

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the command line interface of Access Points running AOS-10 and AOS-8 Instant could allow an authenticated remote attacker to execute system commands in a restricted shell environment. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.
Title Inconsistent input filtering allows Authenticated Command Injection in AOS-8 Instant and AOS-10 CLI
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Hpe Arubaos
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-13T03:58:39.169Z

Reserved: 2026-01-16T15:22:49.224Z

Link: CVE-2026-23820

cve-icon Vulnrichment

Updated: 2026-05-12T19:28:58.401Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T19:16:28.730

Modified: 2026-05-13T15:35:17.550

Link: CVE-2026-23820

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:37:46Z

Weaknesses