Description
Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Command injection vulnerabilities exist in the web‑based management interface of AOS‑8 and AOS‑10 operating systems. An attacker who has valid management credentials can spawn arbitrary operating‑system commands. The resultant breach can lead to full compromise of confidentiality, integrity, and availability of the device and any network services it supports.

Affected Systems

Hewlett Packard Enterprise Aruba Networking Wireless Operating System (AOS) versions 8 and 10 are affected. The vulnerability is tied to the web‑interface management layer of these OS releases.

Risk and Exploitability

The CVSS score of 7.2 indicates a moderate to high severity, yet the EPSS score is not available, so the current probability of exploitation is unknown. Because the vulnerability requires authentication, the attacker must first compromise or possess legitimate credentials, but once authenticated the web interface can be accessed remotely, a scenario easily achievable when the management console is exposed to untrusted networks. The vulnerability is not listed in the CISA KEV catalog, suggesting that there are no confirmed widespread exploit campaigns at this time. Nonetheless, an authenticated remote attacker could use this flaw to gain arbitrary command execution, underscoring the importance of timely remediation.

Generated by OpenCVE AI on May 12, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest AOS‑8 or AOS‑10 firmware update from Hewlett Packard Enterprise that patches the command‑injection flaw
  • Limit or disable remote access to the web‑based management interface, restricting it to trusted internal networks only
  • Implement network segmentation and firewall rules to prevent external unauthenticated hosts from reaching the management port

Generated by OpenCVE AI on May 12, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
CWE-94

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Title Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-12T19:13:41.797Z

Reserved: 2026-05-07T21:29:07.697Z

Link: CVE-2026-44867

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:45.350

Modified: 2026-05-12T20:16:45.350

Link: CVE-2026-44867

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:15:29Z

Weaknesses