Description
SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SQL injection vulnerabilities in the command‑line interface and management protocol of Hewlett Packard Enterprise Aruba Networking Wireless Operating System (AOS) allow an authenticated administrator to inject unsanitized input into database queries, enabling execution of arbitrary operating‑system commands. The flaw is a classic input‑validation weakness that can be leveraged to compromise system confidentiality, integrity, and availability by running malicious code with elevated privileges.

Affected Systems

The affected products are Hewlett Packard Enterprise Aruba Networking Wireless Operating System, specifically versions AOS‑8 and AOS‑10. No additional patch‑level or build information is provided in the advisory.

Risk and Exploitability

The CVSS score of 7.2 classifies the vulnerability as high severity. Because the attack requires authenticated access, the attack vector is local or restricted to users who have been granted administrative credentials. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the high CVSS rating indicates a serious risk if the attacker gains the necessary privileges. Exploitation would involve sending crafted parameters through the command‑line interface or management protocol, with the potential to elevate an attacker’s control over the device. The lack of publicly disclosed exploit code suggests that attacks may be opportunistic but remain credible if credentials are compromised or the device is exposed to a trusted network area.

Generated by OpenCVE AI on May 12, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest HPE Aruba AOS security patch for versions 8 and 10.
  • Restrict access to the AOS command‑line interface and management protocol via network segmentation and firewall rules.
  • Enforce least‑privilege authentication, ensuring only required administrative accounts have access.

Generated by OpenCVE AI on May 12, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan
CPEs cpe:2.3:a:arubanetworks:sd-wan:*:*:*:*:*:*:*:*
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*
Vendors & Products Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan

Wed, 13 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos
Vendors & Products Hpe
Hpe arubaos

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.
Title Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Arubanetworks Arubaos Sd-wan
Hpe Arubaos
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-13T17:58:29.693Z

Reserved: 2026-05-07T21:29:07.696Z

Link: CVE-2026-44861

cve-icon Vulnrichment

Updated: 2026-05-13T17:58:14.259Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T20:16:44.720

Modified: 2026-05-14T18:41:11.913

Link: CVE-2026-44861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:36:38Z

Weaknesses