Description
SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SQL injection vulnerabilities in the command‑line interface and management protocol of Hewlett Packard Enterprise Aruba Networking Wireless Operating System (AOS) allow an authenticated administrator to inject unsanitized input into database queries, enabling execution of arbitrary operating‑system commands. The flaw is a classic input‑validation weakness that can be leveraged to compromise system confidentiality, integrity, and availability by running malicious code with elevated privileges.

Affected Systems

The affected products are Hewlett Packard Enterprise Aruba Networking Wireless Operating System, specifically versions AOS‑8 and AOS‑10. No additional patch‑level or build information is provided in the advisory.

Risk and Exploitability

The CVSS score of 7.2 classifies the vulnerability as high severity. Because the attack requires authenticated access, the attack vector is local or restricted to users who have been granted administrative credentials. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, but the high CVSS rating indicates a serious risk if the attacker gains the necessary privileges. Exploitation would involve sending crafted parameters through the command‑line interface or management protocol, with the potential to elevate an attacker’s control over the device. The lack of publicly disclosed exploit code suggests that attacks may be opportunistic but remain credible if credentials are compromised or the device is exposed to a trusted network area.

Generated by OpenCVE AI on May 12, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest HPE Aruba AOS security patch for versions 8 and 10.
  • Restrict access to the AOS command‑line interface and management protocol via network segmentation and firewall rules.
  • Enforce least‑privilege authentication, ensuring only required administrative accounts have access.

Generated by OpenCVE AI on May 12, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.
Title Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-12T19:07:07.251Z

Reserved: 2026-05-07T21:29:07.696Z

Link: CVE-2026-44861

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:44.720

Modified: 2026-05-12T20:16:44.720

Link: CVE-2026-44861

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:15:29Z

Weaknesses