Description
A vulnerability in the configuration processing logic of Access Points running AOS-10 could allow an authenticated remote attacker to execute system commands under certain pre-existing conditions. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.

Note: Access Points running AOS-8 Instant software are not affected by this vulnerability.
Published: 2026-05-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AOS-10 Access Points contain an inconsistency in the processing of user input that permits an authenticated attacker to inject and execute system commands. The flaw results in the capability to run arbitrary code on the underlying operating system, compromising confidentiality, integrity, and availability of the device and any network services it hosts. The vulnerability is classified as command injection, enabling full control for an attacker who has legitimate credentials on the device.

Affected Systems

Hewlett Packard Enterprise ArubaOS (AOS) version 10 running on Access Point devices is affected. Devices running AOS-8 Instant are explicitly not vulnerable.

Risk and Exploitability

The CVSS score of 7.2 highlights the vulnerability as high severity, indicating that an authenticated attacker can gain full command execution on the device. The EPSS score is not available, so the likelihood of exploitation remains uncertain, suggesting the flaw may not be widely targeted yet. The vulnerability is not listed in the CISA KEV catalog, meaning no public exploit has been documented. Based on the description, the attack requires valid credentials on the AP and likely proceeds through the authenticated CLI interface, where improperly filtered configuration commands allow injection of system commands.

Generated by OpenCVE AI on May 12, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the latest ArubaOS firmware update that addresses command injection.
  • If a firmware update is unavailable or cannot be applied immediately, disable remote CLI access or restrict it to trusted IP ranges.
  • Ensure that only essential privileged accounts are used for device management and enforce strong password policies.
  • Monitor device logs for anomalous command executions and audit access patterns regularly.

Generated by OpenCVE AI on May 12, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos
Vendors & Products Hpe
Hpe arubaos

Tue, 12 May 2026 22:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the configuration processing logic of Access Points running AOS-10 could allow an authenticated remote attacker to execute system commands under certain pre-existing conditions. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. Note: Access Points running AOS-8 Instant software are not affected by this vulnerability.
Title Inconsistent input filtering allows Authenticated Command Injection in AOS-10 CLI
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Hpe Arubaos
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-13T03:58:38.032Z

Reserved: 2026-01-16T15:22:49.224Z

Link: CVE-2026-23821

cve-icon Vulnrichment

Updated: 2026-05-12T19:27:43.629Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T19:16:28.840

Modified: 2026-05-13T15:35:17.550

Link: CVE-2026-23821

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:37:45Z

Weaknesses