Description
A vulnerability in the command line interface of Access Points running AOS-10 could allow an authenticated remote attacker to perform command injection. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.

NOTE: This vulnerability only impacts Access Points running AOS-10.7.x.x and above. AOS-10.4 AP and AOS-8 Instant software branches are not affected by this vulnerability.
Published: 2026-05-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated remote attacker can inject arbitrary shell commands through the CLI of Aruba Access Points running AOS‑10. This injection vulnerability allows the attacker to execute commands on the underlying operating system, effectively achieving remote code execution. The weakness is an OS Command Injection flaw (CWE‑77).

Affected Systems

Affected devices are Aruba Access Points that run AOS‑10.7.x.x and later. Earlier branches (AOS‑10.4 and AOS‑8 Instant) are not impacted.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, while the EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires valid credentials to the CLI, so the attack is limited to authenticated users in the network. Without such credentials the vulnerability cannot be leveraged. As a result, the risk is significant for organizations that expose CLI access to untrusted hosts or lack strong authentication controls.

Generated by OpenCVE AI on May 12, 2026 at 20:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest ArubaOS firmware update released by HPE that addresses the CLI command injection.
  • If an update is not yet available, restrict or disable CLI access for non‑trusted devices and users, and enforce strong authentication for privileged roles.
  • Implement network segmentation and firewall rules to limit the reach of exposed devices, preventing the attacker from gaining access to the command line interface.
  • Enable logging and monitoring of CLI activity to detect potential injection attempts.

Generated by OpenCVE AI on May 12, 2026 at 20:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos
Vendors & Products Hpe
Hpe arubaos

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description A vulnerability in the command line interface of Access Points running AOS-10 could allow an authenticated remote attacker to perform command injection. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. NOTE: This vulnerability only impacts Access Points running AOS-10.7.x.x and above. AOS-10.4 AP and AOS-8 Instant software branches are not affected by this vulnerability.
Title Authenticated Command Injection leads to RCE in AOS-10 CLI Command
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Hpe Arubaos
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-13T03:58:36.867Z

Reserved: 2026-01-16T15:22:49.224Z

Link: CVE-2026-23823

cve-icon Vulnrichment

Updated: 2026-05-12T19:23:35.872Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-12T19:16:29.053

Modified: 2026-05-13T15:35:17.550

Link: CVE-2026-23823

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:37:42Z

Weaknesses