On November 8, 2024, Hewlett Packard Enterprise (HPE) announced patches for multiple serious vulnerabilities affecting its Aruba Networking access points.

The updates address six critical security vulnerabilities, including two command injection flaws with severity scores of 9.8 and 9.0.

To mitigate risks while updates are pending, HPE recommends blocking access to UDP port 8211 from untrusted networks and enabling cluster security on Instant AOS-8 devices.

Currently, there have been no reports of active exploitation of these vulnerabilities, but applying the recommended updates is strongly advised.

All vulnerabilities were reported through Aruba Networking's bug bounty program, indicating a proactive approach to security.

A high-severity path traversal vulnerability was also identified, allowing attackers to read arbitrary files, further emphasizing the need for immediate action.

The critical vulnerabilities are tracked as CVE-2024-42509 and CVE-2024-47460, both of which can be exploited via the command line interface (CLI) accessed through the Access Point management protocol (PAPI).

In addition to these critical flaws, other vulnerabilities include CVE-2024-47461, CVE-2024-47462, and CVE-2024-47463, which also allow for remote command execution and file creation.

These vulnerabilities affect multiple versions of the Instant AOS-8 and AOS-10 operating systems, specifically versions 10.4.1.4 and older, as well as Instant AOS-8.12.0.2 and below.

HPE has stated that products reaching end-of-life status will not receive patches, urging users to upgrade to supported models.

Users still under HPE's support are encouraged to update their access points to the latest versions to ensure security.

These vulnerabilities could allow remote attackers to perform unauthenticated command injection via specially crafted packets sent to the Access Point management protocol.