Description
Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Command injection vulnerabilities reside in the web‑based management interface of Hewlett Packard Enterprise Aruba Operating Systems AOS‑8 and AOS‑10. An attacker with valid authenticated credentials can trigger the execution of arbitrary OS commands, potentially giving the attacker full control over the affected device. This breach jeopardizes confidentiality, integrity, and availability of the managed device, and may provide a foothold for further network compromise.

Affected Systems

Hewlett Packard Enterprise Aruba Networking Wireless Operating System (AOS) versions AOS‑8 and AOS‑10 are susceptible. No specific build or patch level is listed; any installation of these OS versions that still presents the vulnerable web interface is at risk.

Risk and Exploitability

The vulnerability scores a CVSS of 7.2, indicating moderate to high severity. EPSS data are unavailable, and the flaw is not yet catalogued in CISA KEV, suggesting limited known exploitation but a significant theoretical risk. The likely attack vector is remote and requires authenticated access to the web interface, implying that compromised credentials or local administrator access could enable exploitation. An attacker may use the command injection to launch further attacks against the device and potentially the surrounding network.

Generated by OpenCVE AI on May 12, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑published patch or firmware update documented by Hewlett Packard Enterprise via the support reference link.
  • Restrict access to the web‑based management interface to trusted networks or subnets using firewall or VLAN segmentation.
  • Enforce strong, unique administrative credentials and, if possible, enable two‑factor authentication for all privileged accounts.

Generated by OpenCVE AI on May 12, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Title Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-12T19:12:00.613Z

Reserved: 2026-05-07T21:29:07.697Z

Link: CVE-2026-44865

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:45.137

Modified: 2026-05-12T20:16:45.137

Link: CVE-2026-44865

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:15:29Z

Weaknesses