Description
Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Command injection vulnerabilities exist in the web‑based management interface of Hewlett Packard Enterprise Aruba Operating System versions AOS‑8 and AOS‑10. An attacker who has authenticated access to the interface can trigger the execution of arbitrary operating‑system commands, potentially affecting confidentiality, integrity, and availability of the device.

Affected Systems

The affected product is the Hewlett Packard Enterprise Aruba Networking Wireless Operating System (AOS) for its AOS‑8 and AOS‑10 releases. The CVE targets the web interface of these operating system versions; no specific patch level is identified, so any installation maintaining the vulnerable web interface is at risk.

Risk and Exploitability

The CVSS score of 7.2 indicates moderate to high severity, while the EPSS < 1% reflects a very low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is network‑based remote access and requires authenticated credentials, implying that compromised administrative credentials or local administrator access could enable exploitation. Based on the description, it is inferred that an attacker could place malicious commands on the host to gain further authority over the device or surrounding network.

Generated by OpenCVE AI on May 13, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑published patch or firmware update documented by Hewlett Packard Enterprise via the support reference link.
  • Restrict access to the web‑based management interface to trusted networks or subnets using firewall or VLAN segmentation.
  • Enforce strong, unique administrative credentials and, if possible, enable two‑factor authentication for all privileged accounts.

Generated by OpenCVE AI on May 13, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan
CPEs cpe:2.3:a:arubanetworks:sd-wan:*:*:*:*:*:*:*:*
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*
Vendors & Products Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan

Wed, 13 May 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Wed, 13 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos
Vendors & Products Hpe
Hpe arubaos

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Title Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Arubanetworks Arubaos Sd-wan
Hpe Arubaos
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-13T17:51:52.118Z

Reserved: 2026-05-07T21:29:07.697Z

Link: CVE-2026-44865

cve-icon Vulnrichment

Updated: 2026-05-13T17:51:48.227Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T20:16:45.137

Modified: 2026-05-15T12:44:37.217

Link: CVE-2026-44865

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T22:30:06Z

Weaknesses