Description
SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

SQL injection vulnerabilities exist in several service components of the Hewlett Packard Enterprise Aruba AOS-8 and AOS-10 operating systems. An attacker who is able to authenticate with administrative privileges can inject crafted input into command–line interface and management protocol parameters that are passed unsanitized to backend database queries. Successful exploitation can allow the execution of arbitrary commands on the underlying operating system, resulting in full compromise of the device.

Affected Systems

The affected products are Hewlett Packard Enterprise Aruba Networking Wireless Operating System (AOS) versions AOS‑8 and AOS‑10. No specific version numbers are listed in the advisory.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.2, indicating a high severity. The EPSS score is not available, but the lack of a KEV listing suggests no documented active exploitation yet. The attack requires local or network access to the device’s management interface and the ability to authenticate with administrative credentials. Once authenticated, the attacker can manipulate database queries leading to remote code execution, which poses a severe threat to confidentiality, integrity, and availability of the managed network infrastructure.

Generated by OpenCVE AI on May 12, 2026 at 21:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official HPE Aruba AOS security patch as described in the HPE support advisory linked in the references.
  • Remove or limit administrative access to the AOS command‑line and management protocol for users who do not need it; enforce least‑privilege principles.
  • Segment the management network so that only trusted devices can reach the AOS controller interfaces, reducing the attack surface.

Generated by OpenCVE AI on May 12, 2026 at 21:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.
Title Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-12T19:08:40.569Z

Reserved: 2026-05-07T21:29:07.696Z

Link: CVE-2026-44862

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:44.820

Modified: 2026-05-12T20:16:44.820

Link: CVE-2026-44862

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:15:29Z

Weaknesses