Inconsistent input filtering allows Authenticated Command Injection in AOS-10 CLI

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

A vulnerability in the configuration processing logic of Access Points running AOS-10 could allow an authenticated remote attacker to execute system commands under certain pre-existing conditions. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.

Note: Access Points running AOS-8 Instant software are not affected by this vulnerability.

Basic Information

ID CVE-2026-23821

Source hpe

Published May 12, 2026 at 18:35

Modified May 12, 2026 at 19:27

Affected Product

Vendor Hewlett Packard Enterprise (HPE)

Product ArubaOS (AOS)

Version 10.8.0.0

Affected Versions Hewlett Packard Enterprise (HPE) ArubaOS (AOS) 10.8.0.0
Hewlett Packard Enterprise (HPE) ArubaOS (AOS) 10.7.0.0
Hewlett Packard Enterprise (HPE) ArubaOS (AOS) 10.4.0.0

CWE Classification

CWE-78

References

support.hpe.com /hpesc/public/docDisplay

{
    "lastseen": "",
    "description": "A vulnerability in the configuration processing logic of Access Points running AOS-10 could allow an authenticated remote attacker to execute system commands under certain pre-existing conditions. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.\n\nNote: Access Points running AOS-8 Instant software are not affected by this vulnerability.",
    "published": "2026-05-12T18:35:34.806Z",
    "modified": "2026-05-12T19:27:46.948Z",
    "type": "cve",
    "title": "Inconsistent input filtering allows Authenticated Command Injection in AOS-10 CLI",
    "source": "hpe",
    "references": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw05049en_us&docLocale=en_US",
    "id": "CVE-2026-23821",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "Hewlett Packard Enterprise (HPE) ArubaOS (AOS) 10.8.0.0\nHewlett Packard Enterprise (HPE) ArubaOS (AOS) 10.7.0.0\nHewlett Packard Enterprise (HPE) ArubaOS (AOS) 10.4.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "ArubaOS (AOS)",
    "version": "10.8.0.0",
    "vendor": "Hewlett Packard Enterprise (HPE)",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Inconsistent input filtering allows Authenticated Command Injection in AOS-10 CLI_CVE-2026-23821