CVE-2026-44864

Summary

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.

Affected Software

VendorProductVersion RangeStatus
Hewlett Packard Enterprise (HPE)HPE Aruba Networking Wireless Operating System (AOS)8.13.0.0 <= 8.13.1.1affected
Hewlett Packard Enterprise (HPE)HPE Aruba Networking Wireless Operating System (AOS)8.12.0.0 <= 8.12.0.6affected
Hewlett Packard Enterprise (HPE)HPE Aruba Networking Wireless Operating System (AOS)8.10.0.0 <= 8.10.0.21affected
Hewlett Packard Enterprise (HPE)HPE Aruba Networking Wireless Operating System (AOS)10.7.0.0 <= 10.7.2.2affected
Hewlett Packard Enterprise (HPE)HPE Aruba Networking Wireless Operating System (AOS)10.8.0.0affected
Hewlett Packard Enterprise (HPE)HPE Aruba Networking Wireless Operating System (AOS)10.4.0.0 <= 10.4.1.10affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References