Description
A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to place arbitrary files on the underlying filesystem of the affected device.
Published: 2026-05-12
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an authenticated remote attacker to execute arbitrary shell commands via the web‑based management interface in AOS‑8 and AOS‑10. This can be abused to write or overwrite files on the device’s underlying filesystem, effectively granting the attacker the ability to modify firmware or configuration, inject malicious binaries, or otherwise compromise the integrity of the system. The weakness is a classic command‑injection flaw.

Affected Systems

Hewlett Packard Enterprise’s Aruba Networking Wireless Operating System (AOS), specifically versions AOS‑8 and AOS‑10 released on the device web‑management console. No version ranges are specified in the advisory, so any deployment of these OS releases is potentially affected.

Risk and Exploitability

The CVSS score of 7.2 indicates a high‑severity flaw, and the EPSS score of < 1% indicates a very low current exploitation probability. The vulnerability is not listed in CISA's KEV catalog, suggesting no known widespread exploitation as of the data provided. Attackers would need valid credentials to access the web interface, so the exploitation path requires authenticated access, yet the ability to execute arbitrary commands makes post‑exploitation trivial once compromised.

Generated by OpenCVE AI on May 13, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the HPE Aruba firmware update that fixes the command injection in AOS‑8 and AOS‑10 as documented in the HPE support release.
  • Implement strict input validation and sanitization on any web‑based inputs that are incorporated into shell commands to mitigate CWE‑77, ensuring only whitelisted characters or values are accepted.
  • Restrict access to the web‑management interface to authenticated users with the least privilege required, and consider limiting connections to a trusted IP range or VPN to reduce opportunities for exploitation.

Generated by OpenCVE AI on May 13, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan
CPEs cpe:2.3:a:arubanetworks:sd-wan:*:*:*:*:*:*:*:*
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*
Vendors & Products Arubanetworks
Arubanetworks arubaos
Arubanetworks sd-wan

Wed, 13 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77

Wed, 13 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Hpe
Hpe arubaos
Vendors & Products Hpe
Hpe arubaos

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to place arbitrary files on the underlying filesystem of the affected device.
Title Authenticated Arbitrary File Upload via Command Injection in AOS-8 AND AOS-10 Web-Based Management Interface
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Arubanetworks Arubaos Sd-wan
Hpe Arubaos
cve-icon MITRE

Status: PUBLISHED

Assigner: hpe

Published:

Updated: 2026-05-15T20:04:56.217Z

Reserved: 2026-05-07T21:29:22.243Z

Link: CVE-2026-44872

cve-icon Vulnrichment

Updated: 2026-05-13T12:34:43.910Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T20:16:45.793

Modified: 2026-05-13T22:42:55.743

Link: CVE-2026-44872

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T18:30:46Z

Weaknesses