Unauthenticated Remote Code Execution Vulnerability in PAPI
CVE-2024-31473

9.8CRITICAL

Key Information:

Vendor: HP (HP)
Status: Aruba Instantos And Aruba Access Points Running Arubaos 10
Vendor: CVE Published:; 14 May 2024

What is CVE-2024-31473?

A command injection vulnerability exists in the deauthentication service of Aruba Access Points, where an attacker can potentially exploit this flaw to execute arbitrary code on the underlying operating system. By sending specially crafted packets to the PAPI (Aruba's Access Point management protocol) UDP port 8211, it is possible to achieve unauthenticated remote code execution, posing significant risks to network integrity and security.

Affected Version(s)

Aruba InstantOS and Aruba Access Points running ArubaOS 10 InstantOS or ArubaOS (access points) 10.5.x.x: 10.5.1.0 and below.

Aruba InstantOS and Aruba Access Points running ArubaOS 10 InstantOS or ArubaOS (access points) 10.4.x.x: 10.4.1.0 and below.

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2024
Vulnerability Reserved
Apr 3, 2024

Credit

Erik De Jong (bugcrowd.com/erikdejong

HP (HP)

What is CVE-2024-31473?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit