Description
Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Command injection vulnerabilities in the web‑based management interface of HPE Aruba AOS‑8 and AOS‑10 allow an authenticated remote attacker to execute arbitrary operating‑system commands. This flaw can be used to compromise the host, elevate privileges, exfiltrate data or launch further attacks once the attacker gains access credentials to the web interface.

Affected Systems

Hewlett Packard Enterprise Aruba Networking Wireless Operating System (AOS) versions 8 and 10 are affected. No specific firmware revisions are listed, but any system running AOS‑8 or AOS‑10 remains vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity vulnerability that can provide an attacker with full control over the affected device. The exploit probability is not quantified (EPSS not available) and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote via the web interface, requiring authentication; an attacker with valid administrative credentials can trigger the command injection and run arbitrary commands on the device’s operating system.

Generated by OpenCVE AI on May 12, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest HPE Aruba AOS firmware release that contains the patch for command injection.
  • Restrict administrative access to the web interface by limiting it to trusted IP ranges or VPN tunnels and enforce multi‑factor authentication for portal users.
  • Configure local host‑based firewalls or segmentation to block or monitor suspicious command execution patterns and routinely review system logs for anomalous activity.

Generated by OpenCVE AI on May 12, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Title Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-12T19:15:05.027Z

Reserved: 2026-05-07T21:29:07.697Z

Link: CVE-2026-44868

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:45.467

Modified: 2026-05-12T20:16:45.467

Link: CVE-2026-44868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:15:29Z

Weaknesses