HPE Aruba Networking has fixed three critical vulnerabilities in the Command Line Interface (CLI) service of its Aruba Access Points.

The security flaws tracked as CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507 and rated with a 9.8/10 severity score could allow unauthenticated attackers to gain remote code execution on vulnerable devices by sending specially crafted packets to the PAPI (Aruba’s Access Point management protocol) UDP port (8211).

HPE Aruba Networking, a Hewlett Packard Enterprise (HPE) subsidiary formerly known as Aruba Networks, warned in a security advisory published this week that successful exploitation enables threat actors to execute arbitrary code with privileged access.

The vulnerabilities affect Aruba Access Points running Instant AOS-8 and AOS 10 and were reported by security researcher Erik De Jong through HPE Aruba Networking’s bug bounty program.

Impacted versions include AOS-10.6.x.x (10.6.0.2 and below), AOS-10.4.x.x (10.4.1.3 and below), Instant AOS-8.12.x.x (8.12.0.1 and below), and Instant AOS-8.10.x.x (8.10.0.13 and below).

HPE Aruba Networking, a Hewlett Packard Enterprise (HPE) subsidiary formerly known as Aruba Networks, recommends that customers upgrade their devices to the latest software—AOS-10.7.0.0, AOS-10.6.0.3, AOS-10.4.1.4, Instant AOS-8.12.0.2, or Instant AOS-8.10.0.14—to block potential attacks (patches are available for download on the HPE Networking Support Portal).

Workaround available, no active exploitation

As a temporary workaround for devices running Instant AOS-8.x code, admins can enable “cluster-security” to block exploitation attempts. For AOS-10 devices, HPE advises blocking access to port UDP/8211 from all untrusted networks.

HPE Aruba Networking also confirmed that other Aruba products, including Networking Mobility Conductors, Mobility Controllers, and SD-WAN Gateways, are not impacted.

According to the HPE Product Security Response Team, no public exploit code is available, and there have been no reports of attacks targeting the three critical vulnerabilities.

Earlier this year, the company also patched four critical RCE vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.

In February, Hewlett Packard Enterprise (HPE) said it was investigating a potential breach after a threat actor posted credentials and other sensitive information (allegedly stolen from HPE) for sale on a hacking forum.

Two weeks earlier, it reported that its Microsoft Office 365 email environment was breached in May 2023 by hackers believed to be part of the APT29 threat group linked to Russia’s Foreign Intelligence Service (SVR).