Unauthenticated Arbitrary User Creation Leads to Complete System Compromise
CVE-2023-25589

9.8CRITICAL

Key Information:

Vendor: HP
Status: Aruba ClearPass Policy Manager
Vendor: CVE Published:; 22 March 2023

Summary

A vulnerability in the web-based management interface of ClearPass Policy Manager can be exploited by an unauthenticated remote attacker, enabling them to create arbitrary user accounts on the platform. This exploit permits attackers to gain unauthorized access and potentially compromise the entire cluster, raising significant security concerns for network integrity.

Affected Version(s)

Aruba ClearPass Policy Manager 6.11.1 and below

Aruba ClearPass Policy Manager 6.10.8 and below

Aruba ClearPass Policy Manager 6.9.13 and below

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 22, 2023
Vulnerability Reserved
Feb 7, 2023

Credit

Daniel Jensen (@dozernz)