SQL injection vulnerabilities exist in several service components that can be accessed through the AOS command‑line interface (CLI) and management protocol on the AOS‑8 and AOS‑10 operating systems. An attacker who is authenticated with administrative privileges could insert malicious input into parameters that are passed unsanitized to backend database queries. When the flaw is triggered, the attacker is able to execute arbitrary operating‑system commands. The vulnerability therefore provides a path for an insider, or an external actor who has obtained administrative credentials, to take complete control of the affected device, enabling further lateral movement within the network.

Hewlett Packard Enterprise's Aruba Operating System (AOS) for both AOS‑8 and AOS‑10 product families is affected. No more granular version information is available beyond the operating‑system family designation.

The CVSS score of 7.2 places the flaw in the medium severity range, yet the potential for full system compromise gives it high impact. EPSS scores are not available, and the vulnerability is not listed in CISA’s KEV catalog, which suggests the exploit is not yet widely deployed but remains a serious risk. The likely attack vector requires the attacker to first gain authenticated administrative access, thereafter the flaw can be exercised over the CLI or other exposed management protocols, allowing exploitation from within the local network or via remote management channels that are permitted for the administrator.