HPE Aruba Networking fixes critical flaws impacting Access Points
Share onHPE Aruba Networking has fixed three critical vulnerabilities in the Command Line Interface (CLI) service of its Aruba Access Points, which could let unauthenticated attackers gain remote code execution on vulnerable devices.
The vulnerabilities (CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507) can be exploited by sending specially crafted packets to the PAPI (Aruba’s Access Point management protocol) UDP port (8211) to get privileged access to execute arbitrary code on vulnerable devices.
The Hewlett Packard Enterprise (HPE) subsidiary (formerly known as Aruba Networks) confirmed in a security advisory released earlier this week that the security flaws impact Aruba Access Points running Instant AOS-8 and AOS-10.
The vulnerabilities were reported by security researcher Erik De Jong through the company’s bug bounty program, and impacted software versions include:
- AOS-10.6.x.x: 10.6.0.2 and below
- AOS-10.4.x.x: 10.4.1.3 and below
- Instant AOS-8.12.x.x: 8.12.0.1 and below
- Instant AOS-8.10.x.x: 8.10.0.13 and below
The company urged administrators to install the latest security updates (available from the HPE Networking Support Portal) on vulnerable access points to prevent potential attacks.
Workaround available, no active exploitation
As a temporary workaround for devices running Instant AOS-8.x code, admins can enable "cluster-security" to block exploitation attempts. For AOS-10 devices, the company advises blocking access to port UDP/8211 from all untrusted networks.
HPE Aruba Networking also confirmed that other Aruba products, including Networking Mobility Conductors, Mobility Controllers, and SD-WAN Gateways, are unaffected.
According to the HPE Product Security Response Team, no public exploit code is available, and there have been no reports of attacks targeting the three critical vulnerabilities.
Earlier this year, the company also patched four critical RCE vulnerabilities impacting multiple versions of ArubaOS, its proprietary network operating system.
In February, Hewlett Packard Enterprise (HPE) said it was investigating a potential breach after a threat actor posted credentials and other sensitive information (allegedly stolen from HPE) for sale on a hacking forum.
Two weeks earlier, it reported that its Microsoft Office 365 email environment was breached in May 2023 by hackers believed to be part of the APT29 threat group linked to Russia's Foreign Intelligence Service (SVR).
Sponsored Ads:
Comments:
Google Cloud and Cloudflare hit by widespread service outages
Category: IT|Jun 12, 2025 | Author: Admin
Microsoft Outlook to block more risky attachments used in attacks
Category: Microsoft|Jun 11, 2025 | Author: Admin
Google patched bug leaking phone numbers tied to accounts
Category: Google|Jun 10, 2025 | Author: Admin
Germany fines Vodafone $51 million for privacy, security breaches
Category: IT|Jun 9, 2025 | Author: Admin
Microsoft unveils free EU cybersecurity program for governments
Category: Microsoft|Jun 8, 2025 | Author: Admin
Play ransomware breached 900 victims, including critical orgs
Category: IT|Jun 7, 2025 | Author: Admin
Cisco warns of ISE and CCP flaws with public exploit code
Category: IT|Jun 6, 2025 | Author: Admin
Ukraine claims it hacked Tupolev, Russia’s strategic warplane maker
Category: General|Jun 5, 2025 | Author: Admin
Hackers target Salesforce accounts in data extortion attacks
Category: Google|Jun 4, 2025 | Author: Admin
Mozilla launches new system to detect Firefox crypto drainer add-ons
Category: IT|Jun 3, 2025 | Author: Admin
Google Chrome to distrust Chunghwa Telecom, Netlock certificates in August
Category: Google|Jun 2, 2025 | Author: Admin
Exploit details for max severity Cisco IOS XE flaw now public
Category: IT|Jun 1, 2025 | Author: Admin
Mozilla releases Firefox 139.0.1 update to fix artifacts on Nvidia GPUs
Category: IT|May 31, 2025 | Author: Admin
Microsoft now testing Notepad text formatting in Windows 11
Category: Microsoft|May 30, 2025 | Author: Admin