- 81/2025
- High
HPE Aruba has released security updates to fix multiple vulnerabilities affectingseveral Aruba products.
The addressed vulnerabilities could allow the attacker to execute arbitrary code/commands, download arbitrary files, perform cross-site scripting (XSS), modify files, and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. Authenticated Remote Code Execution Vulnerabilities in Web-Based Management Interface via Arbitrary File Write (CVE-2025-27082):
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
2. Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal (CP) (CVE-2025-27084):
- CVSS: 5.4
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Cross-Site Scripting
Sample of the affected products:
- HPE Aruba Networking Mobility Conductor and Controllers (AOS-10, AOS-8).
- HPE Aruba Networking WLAN and SD-WAN Gateways (AOS-10).
- HPE Aruba Networking Access Points (AOS-10 AP, AOS-8 Instant).
Vulnerabilities
- CVE-2025-27082
- CVE-2025-27085
- CVE-2025-27083
- CVE-2025-27078
- CVE-2025-27084
- CVE-2025-27079
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.