Description
SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a SQL injection flaw that exists in the command‑line interface and management protocol of Hewlett Packard Enterprise’s Aruba Networking Wireless Operating System (AOS) running on versions 8 and 10. The flaw allows an authenticated attacker with administrative privileges to inject crafted input into database queries. Successful exploitation can cause arbitrary command execution on the underlying operating system, giving the attacker full control of the device. The weakness is identified as a classic SQL injection (CWE‑89).

Affected Systems

The affected products are Hewlett Packard Enterprise Aruba Networking Wireless Operating System (AOS) versions 8 and 10. No additional sub‑version details are provided, so any device running AOS‑8 or AOS‑10 with default or wide‑open CLI/management access is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity vulnerability. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated admin session; once the attacker has legitimate administrative credentials, they can target the CLI or management protocol and inject malicious SQL statements. Because the attack vector is internal and needs privileged access, the immediate risk is mainly for organizations that may have weak privilege controls or compromised accounts. Nevertheless, the ability to execute arbitrary OS commands means that, once exploited, the attacker can exfiltrate data, modify configurations, or pivot to other network assets.

Generated by OpenCVE AI on May 12, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security update for Hewlett Packard Enterprise Aruba AOS that addresses this SQL injection flaw.
  • Enforce least‑privilege access to the CLI and management protocols, allowing only trusted administrators to use commands that interact with the database.
  • Disable or restrict the CLI and management protocols for devices that are not required to expose them externally, reducing the attack surface.
  • Conduct an audit of administrator accounts and enforce strong authentication mechanisms.

Generated by OpenCVE AI on May 12, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan
CPEs cpe:2.3:a:arubanetworks:sd-wan:*:*:*:*:*:*:*:*
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*
Vendors & Products Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos
Vendors & Products Hpe
Hpe arubaos

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.
Title Authenticated Remote Code Execution via SQL Injection in AOS-8 and AOS-10 Operating Systems
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Arubanetworks Arubaos Sd-wan
Hpe Arubaos
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-13T17:52:21.729Z

Reserved: 2026-05-07T21:29:07.696Z

Link: CVE-2026-44864

cve-icon Vulnrichment

Updated: 2026-05-13T17:52:17.607Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T20:16:45.033

Modified: 2026-05-14T18:40:33.983

Link: CVE-2026-44864

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:36:33Z

Weaknesses