Source: JHVEPhoto via Alamy Stock Photo

HPE Aruba Networking fixed three critical vulnerabilities found in its systems that could allow unauthenticated attackers remote code execution on compromised devices.

The vulnerabilities, tracked as CVE-2024-42505, CVE-2024-42506, and CVE-2024-42507, lie in the command line interface (CLI) service of Aruba access points (APs) and can be exploited by sending packets to Aruba's AP management protocol UDP port to gain privileged access and execute arbitrary code.

The security bugs affect Aruba APs running Instant AOS-8 and AOS-10, according to the Hewlett Packard Enterprise subsidiary.

The impacted software includes AOS-10.6.x.x: 10.6.0.2 and below, AOS-10.4.x.x: 10.4.1.3 and below, Instant AOS-8.12.x.x: 8.12.0.1 and below, and Instant AOS-8.10.x.x: 8.10.0.13 and below.

While there are workarounds for devices running Instant AOS-8.x code and AOS-10, it's recommended that administrators install the latest updates HPE provided on its networking support portal to prevent attacks from malicious actors.

Other Aruba products such as Networking Mobility Conductors, Mobility Controllers, and SD-WAN Gateways have not been impacted.

There are no reports of the flaws being exploited in the wild and no public exploit codes currently available, according to the HPE Security Response Team.