Hpe Arubaos

CLI Command Injection in HPE Aruba AP AOS-10.7.x.x
CVE-2026-23823 7.2 - High - May 12, 2026

A vulnerability in the command line interface of Access Points running AOS-10 could allow an authenticated remote attacker to perform command injection. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. NOTE: This vulnerability only impacts Access Points running AOS-10.7.x.x and above. AOS-10.4 AP and AOS-8 Instant software branches are not affected by this vulnerability.

Command Injection

AOS-8 DHCP XML DoS via Unauth Remote Trigger
CVE-2026-23822 5.3 - Medium - May 12, 2026

A vulnerability in the XML handling component of AOS-8 DHCP services could allow an unauthenticated remote attacker to trigger a denial-of-service condition. Successful exploitation could allow an attacker to cause excessive resource consumption upon user interaction, leading to service disruption or reduced availability of the affected system. NOTE: This vulnerability only impacts Access Points running AOS Instant 8.x.x.x

XEE

HPE Aruba AOS10 AP Authenticated Remote Command Exec via Config Processor (CVE202623821)
CVE-2026-23821 7.2 - High - May 12, 2026

A vulnerability in the configuration processing logic of Access Points running AOS-10 could allow an authenticated remote attacker to execute system commands under certain pre-existing conditions. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. Note: Access Points running AOS-8 Instant software are not affected by this vulnerability.

Shell injection

Authenticated Remote Shell via CLI in HPE AOS-10/8 Instant APs
CVE-2026-23820 7.2 - High - May 12, 2026

A vulnerability in the command line interface of Access Points running AOS-10 and AOS-8 Instant could allow an authenticated remote attacker to execute system commands in a restricted shell environment. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.

Shell injection

Aruba AP: Remote JavaScript Exec via Web UI CVE-2026-23819
CVE-2026-23819 8.8 - High - May 12, 2026

A vulnerability in the web-based management interface of Access Points running AOS-10 and AOS-8 Instant could allow an unauthenticated remote attacker to execute arbitrary JavaScript code in a victim's browser within the same local network. Successful exploitation could allow an attacker to compromise user data and potentially manipulate device configuration settings.

XSS

OOB Read in HPE Buffer Component Enables DoS
CVE-2025-37179 5.3 - Medium - January 13, 2026

Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential denial-of-service of the compromised process.

Out-of-bounds Read

HPE Buffer OOB Read CVE-2025-37178
CVE-2025-37178 5.3 - Medium - January 13, 2026

Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential denial-of-service of the compromised process.

Out-of-bounds Read

HPE Mobility Conductor CLI Arbitrary File Deletion (CVE-2025-37177)
CVE-2025-37177 6.5 - Medium - January 13, 2026

An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.

Files or Directories Accessible to External Parties

Command Injection in AOS-8 Package Header Authenticated Privileged User
CVE-2025-37176 6.5 - Medium - January 13, 2026

A command injection vulnerability in AOS-8 allows an authenticated privileged user to alter a package header to inject shell commands, potentially affecting the execution of internal operations. Successful exploit could allow an authenticated malicious actor to execute commands with the privileges of the impacted mechanism.

Command Injection

HPE Aruba Mobility Conductor AOS-10/8 Arbitrary File Upload
CVE-2025-37175 7.2 - High - January 13, 2026

Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary commands on the underlying operating system.

Unrestricted File Upload

HPE Mobility Conductor AOS-10/AOS-8 Arb File Write via Auth Web-Mgmt
CVE-2025-37174 7.2 - High - January 13, 2026

Authenticated arbitrary file write vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to create or modify arbitrary files and execute arbitrary commands as a privileged user on the underlying operating system.

Insecure Inherited Permissions

Improper Input Handling in HP Mobility Conductor AOS Web Interface
CVE-2025-37173 7.2 - High - January 13, 2026

An improper input handling vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor with valid credentials to trigger unintended behavior on the affected system.

Improper Input Validation

Auth Cmd Injection in HPE Aruba Mobility Conductor AOS-8 Web UI
CVE-2025-37172 7.2 - High - January 13, 2026

Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.

Shell injection

HPE MobilityConductor AOS-8 Auth Cmd Injection (CVE-2025-37171)
CVE-2025-37171 7.2 - High - January 13, 2026

Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.

Shell injection

HPE Aruba Mobility Conductor AOS-8 Authenticated Command Injection
CVE-2025-37170 7.2 - High - January 13, 2026

Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.

Shell injection

Stack Overflow in HPE AOS-10 Web UI Enables Privileged Exec
CVE-2025-37169 7.2 - High - January 13, 2026

A stack overflow vulnerability exists in the AOS-10 web-based management interface of a Mobility Gateway. Successful exploitation could allow an authenticated malicious actor to execute arbitrary code as a privileged user on the underlying operating system.

Aruba Mobility Conductor AOS-8 Arbitrary File Deletion
CVE-2025-37168 8.2 - High - January 13, 2026

Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary files within the affected system and potentially result in denial-of-service conditions on affected devices.

Files or Directories Accessible to External Parties

Aruba AOS Low-level Interface Lib: Authenticated Arbitrary File Download
CVE-2025-37145 4.9 - Medium - October 14, 2025

Arbitrary file download vulnerabilities exist in a low-level interface library in AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.

Directory traversal

AOS-10/AOS-8 GW & Controller: Authenticated File Download Vulnerability
CVE-2025-37144 4.9 - Medium - October 14, 2025

Arbitrary file download vulnerabilities exist in a low-level interface library in AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.

Directory traversal

Auth Cmd Injection in Cisco AOS-8 Ctrl/Mobility Conductor CLI
CVE-2025-37134 7.2 - High - October 14, 2025

An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.

Command Injection

ArubaOS Webman XSS Enables Script Execution in Admin UI
CVE-2023-35978 6.1 - Medium - July 05, 2023

A vulnerability in ArubaOS could allow an unauthenticated remote attacker to conduct a reflected cross-site scripting (XSS) attack against a user of the web-based management interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface.

XSS

Multiple memory corruption flaws are present in ArubaOS which could allow an unauthenticated user to crash ArubaOS processes
CVE-2017-9003 - August 06, 2018

Multiple memory corruption flaws are present in ArubaOS which could allow an unauthenticated user to crash ArubaOS processes. With sufficient time and effort, it is possible these vulnerabilities could lead to the ability to execute arbitrary code - remote code execution has not yet been confirmed.

ArubaOS, all versions prior to 6.3.1.25, 6.4 prior to 6.4.4.16, 6.5.x prior to 6.5.1.9, 6.5.2, 6.5.3 prior to 6.5.3.3, 6.5.4 prior to 6.5.4.2, 8.x prior to 8.1.0.4 FIPS and non-FIPS versions of software are both affected equally is vulnerable to unauthenticated arbitrary file access
CVE-2017-9000 - August 06, 2018

ArubaOS, all versions prior to 6.3.1.25, 6.4 prior to 6.4.4.16, 6.5.x prior to 6.5.1.9, 6.5.2, 6.5.3 prior to 6.5.3.3, 6.5.4 prior to 6.5.4.2, 8.x prior to 8.1.0.4 FIPS and non-FIPS versions of software are both affected equally is vulnerable to unauthenticated arbitrary file access. An unauthenticated user with network access to an Aruba mobility controller on TCP port 8080 or 8081 may be able to access arbitrary files stored on the mobility controller. Ports 8080 and 8081 are used for captive portal functionality and are listening, by default, on all IP interfaces of the mobility controller, including captive portal interfaces. The attacker could access files which could contain passwords, keys, and other sensitive information that could lead to full system compromise.