HPE Aruba Networking fixes critical flaws impacting Access Points
HPE Aruba Networking has fixed three critical vulnerabilities in the Command Line Interface (CLI) service of its Aruba Access Points, which could let unauthenticated attackers gain remote code execution on vulnerable devices.
The vulnerabilities (CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507) can be exploited by sending specially crafted packets to the PAPI (Aruba’s Access Point management protocol) UDP port (8211) to get privileged access to execute arbitrary code on vulnerable devices.
The Hewlett Packard Enterprise (HPE) subsidiary (formerly known as Aruba Networks) confirmed in a security advisory released earlier this week that the security flaws impact Aruba Access Points running Instant AOS-8 and AOS-10.
The vulnerabilities were reported by security researcher Erik De Jong through the company’s bug bounty program, and impacted software versions include:
- AOS-10.6.x.x: 10.6.0.2 and below
- AOS-10.4.x.x: 10.4.1.3 and below
- Instant AOS-8.12.x.x: 8.12.0.1 and below
- Instant AOS-8.10.x.x: 8.10.0.13 and below
The company urged administrators to install the latest security updates (available from the HPE Networking Support Portal) on vulnerable access points to prevent potential attacks.
Workaround available, no active exploitation
As a temporary workaround for devices running Instant AOS-8.x code, admins can enable "cluster-security" to block exploitation attempts. For AOS-10 devices, the company advises blocking access to port UDP/8211 from all untrusted networks.
HPE Aruba Networking also confirmed that other Aruba products, including Networking Mobility Conductors, Mobility Controllers, and SD-WAN Gateways, are not impacted.
According to the HPE Product Security Response Team, no public exploit code is available, and there have been no reports of attacks targeting the three critical vulnerabilities.
Earlier this year, the company also patched four critical RCE vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.
In February, Hewlett Packard Enterprise (HPE) said it was investigating a potential breach after a threat actor posted credentials and other sensitive information (allegedly stolen from HPE) for sale on a hacking forum.
Two weeks earlier, it reported that its Microsoft Office 365 email environment was breached in May 2023 by hackers believed to be part of the APT29 threat group linked to Russia's Foreign Intelligence Service (SVR).
Watering Hole Attack on Kurdish Sites Distributing Malicious APKs and Spyware
Overloaded with SIEM Alerts? Discover Effective Strategies in This Expert-Led Webinar
CVE-2024-20439 Cisco Smart Licensing Utility Static Credential Vulnerability
CVE-2025-2783 Google Chromium Mojo Sandbox Escape Vulnerability
CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability
CVE-2025-30154 reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability
CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability
CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability
CVE-2025-24472 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability
InformationalInformation Disclosure - Suspicious Comments
InformationalRe-examine Cache-control Directives
Free online web security scanner
