Injection of arbitrary operating‑system commands is possible through the AOS web‑management interface when the attacker is authenticated. The flaw permits complete takeover of the device’s OS, exposing data, enabling persistent footholds, and allowing denial‑of‑service actions. The weakness corresponds to improper validation of command wrappers as described by CWE‑77.

The vulnerability affects Hewlett Packard Enterprise’s Aruba Networking Wireless Operating System, specifically versions AOS‑8 and AOS‑10. No detailed patch levels are published in the advisory, so administrators should verify against the latest firmware released for these OS branches.

The CVSS score of 7.2 indicates a high severity, and the EPSS score of less than 1% (approximately 0.00175) shows that the probability of exploitation is extremely low but non‑zero. Nevertheless, because the flaw allows an authenticated remote attacker to execute arbitrary commands on the underlying OS, the potential impact remains significant. The vulnerability is not listed in CISA KEV, but its remote authenticated nature and the ability to bypass normal controls make it a high priority for mitigation. Exploitation requires valid credentials to the management interface, highlighting the importance of strong access controls and network segmentation.