A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to place arbitrary files on the underlying filesystem of the affected device.
PUBLISHED5.2
Authenticated Arbitrary File Upload via Command Injection in AOS-8 AND AOS-10 Web-Based Management Interface
Affected products
Hewlett Packard Enterprise (HPE)
HPE Aruba Networking Wireless Operating System (AOS)
<= 8.13.1.1 - AFFECTED
<= 8.12.0.6 - AFFECTED
<= 8.10.0.21 - AFFECTED
<= 10.7.2.2 - AFFECTED
10.8.0.0 - AFFECTED
<= 10.4.1.10 - AFFECTED
References
GitHub Security Advisories
GHSA-p4r4-r264-p9hw
A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS...
https://github.com/advisories/GHSA-p4r4-r264-p9hwA command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to place arbitrary files on the underlying filesystem of the affected device.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-44872Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-44872",
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"dateUpdated": "2026-05-12T19:18:16.627Z",
"dateReserved": "2026-05-07T21:29:22.243Z",
"datePublished": "2026-05-12T19:18:16.627Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe",
"dateUpdated": "2026-05-12T19:18:16.627Z"
},
"title": "Authenticated Arbitrary File Upload via Command Injection in AOS-8 AND AOS-10 Web-Based Management Interface",
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to place arbitrary files on the underlying filesystem of the affected device.",
"supportingMedia": [
{
"type": "text/html",
"base64": false,
"value": "<p>A command injection vulnerability exists in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Successful exploitation could allow an authenticated remote attacker to place arbitrary files on the underlying filesystem of the affected device.</p>"
}
]
}
],
"affected": [
{
"vendor": "Hewlett Packard Enterprise (HPE)",
"product": "HPE Aruba Networking Wireless Operating System (AOS)",
"defaultStatus": "affected",
"versions": [
{
"version": "8.13.0.0",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "8.13.1.1"
},
{
"version": "8.12.0.0",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "8.12.0.6"
},
{
"version": "8.10.0.0",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "8.10.0.21"
},
{
"version": "10.7.0.0",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "10.7.2.2"
},
{
"version": "10.8.0.0",
"status": "affected",
"versionType": "semver"
},
{
"version": "10.4.0.0",
"status": "affected",
"versionType": "semver",
"lessThanOrEqual": "10.4.1.10"
}
]
}
],
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05048en_us&docLocale=en_US"
}
],
"metrics": [
{
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
],
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "HIGH",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH"
}
}
],
"credits": [
{
"lang": "en",
"value": "zzcentury",
"type": "reporter"
}
]
}
}
}