Description
SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection that allows an attacker with administrative privileges to inject crafted parameters into backend database queries via the AOS‑8 and AOS‑10 command‑line interface and management protocol. By exploiting this flaw, the attacker can execute arbitrary operating‑system commands, thereby compromising confidentiality, integrity, and availability of the device. The weakness is identified as SQL injection (CWE‑89).

Affected Systems

Hewlett Packard Enterprise’s Aruba Networking Wireless Operating System (AOS) versions AOS‑8 and AOS‑10 are affected. No specific patch or version range is listed, so all releases of these operating systems remain at risk until a vendor patch is applied.

Risk and Exploitability

The CVSS score of 7.2 denotes a high severity with a medium to high exploitability. The EPSS score is unavailable, so the precise likelihood of exploitation cannot be quantified, but the vulnerability is not in CISA’s KEV catalog. The attack requires authenticated administrative access, so the vector is likely remote exploitation through the management protocol or CLI over the network. Because the flaw permits arbitrary command execution, the risk to the affected system is substantial, especially in environments where administrative credentials are widely distributed.

Generated by OpenCVE AI on May 12, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the security update published by HPE for AOS‑8 and AOS‑10 that addresses the SQL injection flaw; follow HPE’s installation instructions to ensure the patch is applied correctly.
  • Restrict administrative access to the AOS command‑line interface and management protocol to trusted hosts or IP ranges; enforce least‑privilege principles to limit the number of users with the required credentials.
  • Disable unused management interfaces and services on the device, or limit their exposure to the internal network, to reduce the attack surface for potential exploitation.

Generated by OpenCVE AI on May 12, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.
Title Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-12T19:09:19.516Z

Reserved: 2026-05-07T21:29:07.696Z

Link: CVE-2026-44863

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:44.923

Modified: 2026-05-12T20:16:44.923

Link: CVE-2026-44863

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:00:22Z

Weaknesses