This vulnerability is a SQL injection flaw that exists in the command‑line interface and management protocol of Hewlett Packard Enterprise’s Aruba Networking Wireless Operating System (AOS) running on versions 8 and 10. The flaw allows an authenticated attacker with administrative privileges to inject crafted input into database queries. Successful exploitation can cause arbitrary command execution on the underlying operating system, giving the attacker full control of the device. The weakness is identified as a classic SQL injection (CWE‑89).

The affected products are Hewlett Packard Enterprise Aruba Networking Wireless Operating System (AOS) versions 8 and 10. No additional sub‑version details are provided, so any device running AOS‑8 or AOS‑10 with default or wide‑open CLI/management access is potentially vulnerable.

The CVSS score of 7.2 indicates a high severity vulnerability. The EPSS score is not available, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated admin session; once the attacker has legitimate administrative credentials, they can target the CLI or management protocol and inject malicious SQL statements. Because the attack vector is internal and needs privileged access, the immediate risk is mainly for organizations that may have weak privilege controls or compromised accounts. Nevertheless, the ability to execute arbitrary OS commands means that, once exploited, the attacker can exfiltrate data, modify configurations, or pivot to other network assets.