Unauthenticated Remote Code Execution Vulnerability in PAPI
CVE-2024-47460

9CRITICAL

Key Information:

Vendor
HP
Status
HP Aruba Networking Access Points, Instant Aos-8, And Aos-10
Vendor
CVE Published:
5 November 2024

Badges

πŸ“° News Worthy

Summary

A command injection vulnerability has been identified in the CLI service associated with Aruba's Access Point management protocol, specifically affecting communications through the PAPI UDP port (8211). An attacker can exploit this vulnerability by sending specially crafted packets, leading to the potential execution of arbitrary code with elevated privileges on the underlying operating system. This vulnerability raises significant security concerns as it allows unauthorized access and control over affected Aruba Access Points, making it imperative for organizations to assess their systems and apply necessary security measures.

Affected Version(s)

HPE Aruba Networking Access Points, Instant AOS-8, and AOS-10 AOS-10.4.x.x: 10.4.1.4 and below

HPE Aruba Networking Access Points, Instant AOS-8, and AOS-10 AOS-10.4.x.x: 10.4.1.4 and below

HPE Aruba Networking Access Points, Instant AOS-8, and AOS-10 Instant AOS-8.12.x.x: 8.12.0.2 and below

News Articles

favicon imageThe Hacker News

HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities

HPE addresses critical flaws in Aruba Access Points, preventing remote code execution for secure networking

2 months ago

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpe...

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • πŸ“°

    First article discovered by The Hacker News

  • Vulnerability published

  • Vulnerability Reserved

Credit

Erik De Jong (bugcrowd.com/erikdejong)
.