Authenticated Remote Command Execution in ArubaOS Web-based Management Interface

CVE-2023-35972

7.2HIGH

Key Information

Vendor: HP
Status: Aruba Mobility Conductor (formerly Mobility Master); Aruba Mobility Controllers; WLAN Gateways and SD-WAN Gateways managed by Aruba Central
Vendor: CVE Published:; 5 July 2023

Summary

An authenticated remote command injection vulnerability exists in the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS.

Affected Version(s)

Aruba Mobility Conductor (formerly Mobility Master); Aruba Mobility Controllers; WLAN Gateways and SD-WAN Gateways managed by Aruba Central <= - ArubaOS 10.4.x.x: 10.4.0.1 and below

Aruba Mobility Conductor (formerly Mobility Master); Aruba Mobility Controllers; WLAN Gateways and SD-WAN Gateways managed by Aruba Central = - ArubaOS 10.4.x.x: 10.4.0.1 and below

Aruba Mobility Conductor (formerly Mobility Master); Aruba Mobility Controllers; WLAN Gateways and SD-WAN Gateways managed by Aruba Central = - ArubaOS 8.11.x.x: 8.11.1.0 and below

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published.
Jul 5, 2023
Vulnerability Reserved.
Jun 20, 2023

Collectors

NVD DatabaseMitre Database

Credit

Daniel Jensen (@dozernz)