Unauthenticated Remote Code Execution through Command Injection Vulnerabilities
CVE-2024-42505

9.8CRITICAL

Key Information:

Vendor: HP
Status: Aruba Os
Vendor: CVE Published:; 25 September 2024

Summary

The vulnerability presents command injection risks within Aruba's Command Line Interface (CLI) service, which could allow unauthorized remote code execution. Attackers may exploit this vulnerability by sending specially crafted packets to the Protocol for Access Point Management Interface (PAPI) over UDP port 8211. Successful exploitation permits execution of arbitrary code with elevated privileges on the operating system, posing significant security risks to affected Aruba Access Points. Organizations utilizing vulnerable products should assess their exposure and apply recommended mitigations to secure their network infrastructure.

Affected Version(s)

Aruba OS Version 10.5.0.0: 10.6.0.2 and below

Aruba OS Version 10.0.0.0: 10.4.1.13 and below

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpe...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 25, 2024

Credit

erikdejong