Description
Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Injection of arbitrary operating‑system commands is possible through the AOS web‑management interface when the attacker is authenticated. The flaw permits complete takeover of the device’s OS, exposing data, enabling persistent footholds, and allowing denial‑of‑service actions. The weakness corresponds to improper validation of command wrappers as described by CWE‑78.

Affected Systems

The vulnerability affects Hewlett Packard Enterprise’s Aruba Networking Wireless Operating System, specifically versions AOS‑8 and AOS‑10. No detailed patch levels are published in the advisory, so administrators should verify against the latest firmware released for these OS branches.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity, and while EPSS data is not available, the remote authenticated nature of the exploit combined with the ability to run arbitrary code gives a serious risk. The issue is not listed in CISA KEV, but the high impact and potential to bypass normal controls make it a priority for mitigation. Exploitation requires valid credentials to the management interface, suggesting that access control and network segmentation are critical defensive measures.

Generated by OpenCVE AI on May 12, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest HPE Aruba firmware update that addresses the command injection flaw.
  • Limit access to the web‑based management interface to trusted IP addresses or enforce VPN access.
  • Enforce strong, multi‑factor authentication and restrict privileged accounts; disable unused management protocols.
  • Monitor system logs for unexpected command execution and anomalous network activity.

Generated by OpenCVE AI on May 12, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Title Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-12T19:12:47.890Z

Reserved: 2026-05-07T21:29:07.697Z

Link: CVE-2026-44866

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:45.243

Modified: 2026-05-12T20:16:45.243

Link: CVE-2026-44866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:15:29Z

Weaknesses