Description
Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Command injection vulnerabilities in the web‑based management interface of HPE Aruba AOS‑8 and AOS‑10 allow an authenticated remote attacker to execute arbitrary operating‑system commands. This flaw can be used to compromise the host, elevate privileges, exfiltrate data or launch further attacks once the attacker gains access credentials to the web interface.

Affected Systems

Hewlett Packard Enterprise Aruba Networking Wireless Operating System (AOS) versions 8 and 10 are affected. No specific firmware revisions are listed, but any system running AOS‑8 or AOS‑10 remains vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity vulnerability that can provide an attacker with full control over the affected device. The exploit probability is not quantified (EPSS not available) and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote via the web interface, requiring authentication; an attacker with valid administrative credentials can trigger the command injection and run arbitrary commands on the device’s operating system.

Generated by OpenCVE AI on May 12, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest HPE Aruba AOS firmware release that contains the patch for command injection.
  • Restrict administrative access to the web interface by limiting it to trusted IP ranges or VPN tunnels and enforce multi‑factor authentication for portal users.
  • Configure local host‑based firewalls or segmentation to block or monitor suspicious command execution patterns and routinely review system logs for anomalous activity.

Generated by OpenCVE AI on May 12, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan
CPEs cpe:2.3:a:arubanetworks:sd-wan:*:*:*:*:*:*:*:*
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*
Vendors & Products Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan

Thu, 14 May 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos
Vendors & Products Hpe
Hpe arubaos

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Title Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Arubanetworks Arubaos Sd-wan
Hpe Arubaos
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-14T12:28:51.490Z

Reserved: 2026-05-07T21:29:07.697Z

Link: CVE-2026-44868

cve-icon Vulnrichment

Updated: 2026-05-14T12:28:43.084Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T20:16:45.467

Modified: 2026-05-14T18:17:14.707

Link: CVE-2026-44868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:36:28Z

Weaknesses