Description
Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Published: 2026-05-12
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Command injection vulnerabilities exist in the web‑based management interface of HPE Aruba Wireless Operating System versions AOS‑8 and AOS‑10. An authenticated remote attacker who can access the web interface can execute arbitrary operating system commands, yielding full control over the device’s underlying OS. This is a classic remote code execution flaw, classified under CWE‑78.

Affected Systems

The affected systems are Hewlett Packard Enterprise Aruba Wireless Operating System AOS‑8 and AOS‑10. No specific affected version range is provided, so all deployed instances of these OS releases are potentially susceptible. Users should verify the model and firmware version against HPE’s advisory to confirm whether their devices are impacted.

Risk and Exploitability

The vulnerability scores a CVSS of 7.2, indicating high severity. No EPSS score is available, and the flaw is not listed in the CISA KEV catalog, so public exploitation is not yet documented as widespread. Attackers would first need valid user credentials to log into the web interface; once authenticated, they can send crafted input that is passed directly to the operating system shell. Because the attack vector is remote over the network, the potential impact ranges from compromised device configuration to complete takeover, depending on the privileges of the authenticated user.

Generated by OpenCVE AI on May 12, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest HPE Aruba AOS security update that addresses the command injection flaw.
  • If a patch is unavailable, disable or lock down the web‑based management interface entirely and restrict its access to a trusted internal network subnet.
  • Enforce strong, multi‑factor authentication and limit manageability privileges to only those users who require direct device control.
  • Configure firewall rules or network segmentation to isolate AOS devices from external traffic, so that only authorized management stations can reach the web interface.
  • Monitor system logs for unexpected command execution patterns and audit user activity on the AOS management console.

Generated by OpenCVE AI on May 12, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary commands on the underlying operating system.
Title Authenticated Command Injection Vulnerabilities in the Web-Based Management Interface of AOS-8 and AOS-10
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-12T19:15:50.763Z

Reserved: 2026-05-07T21:29:07.697Z

Link: CVE-2026-44869

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:45.583

Modified: 2026-05-12T20:16:45.583

Link: CVE-2026-44869

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:15:29Z

Weaknesses