Description
SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SQL injection vulnerabilities exist in several service components that can be accessed through the AOS command‑line interface (CLI) and management protocol on the AOS‑8 and AOS‑10 operating systems. An attacker who is authenticated with administrative privileges could insert malicious input into parameters that are passed unsanitized to backend database queries. When the flaw is triggered, the attacker is able to execute arbitrary operating‑system commands. The vulnerability therefore provides a path for an insider, or an external actor who has obtained administrative credentials, to take complete control of the affected device, enabling further lateral movement within the network.

Affected Systems

Hewlett Packard Enterprise's Aruba Operating System (AOS) for both AOS‑8 and AOS‑10 product families is affected. No more granular version information is available beyond the operating‑system family designation.

Risk and Exploitability

The CVSS score of 7.2 places the flaw in the medium severity range, yet the potential for full system compromise gives it high impact. EPSS scores are not available, and the vulnerability is not listed in CISA’s KEV catalog, which suggests the exploit is not yet widely deployed but remains a serious risk. The likely attack vector requires the attacker to first gain authenticated administrative access, thereafter the flaw can be exercised over the CLI or other exposed management protocols, allowing exploitation from within the local network or via remote management channels that are permitted for the administrator.

Generated by OpenCVE AI on May 12, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest HPE Aruba firmware or patch that addresses the AOS‑8 and AOS‑10 SQL injection vulnerabilities.
  • Restrict administrative and CLI access to a smallest possible group of trusted users and enforce the principle of least privilege.
  • Implement network segmentation and firewall rules to isolate management interfaces from untrusted networks. If a patch is not yet available, block or disable the vulnerable CLI and management protocol from external access until remediation is applied.

Generated by OpenCVE AI on May 12, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan
CPEs cpe:2.3:a:arubanetworks:sd-wan:*:*:*:*:*:*:*:*
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*
Vendors & Products Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos
Vendors & Products Hpe
Hpe arubaos

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
CWE-89

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.
Title Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Arubanetworks Arubaos Sd-wan
Hpe Arubaos
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-13T17:57:40.202Z

Reserved: 2026-05-07T21:29:03.734Z

Link: CVE-2026-44860

cve-icon Vulnrichment

Updated: 2026-05-13T17:57:32.455Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T20:16:44.620

Modified: 2026-05-14T18:41:29.713

Link: CVE-2026-44860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:36:40Z

Weaknesses