HPE Aruba: Security patches for access points and other hardware
Attackers can infiltrate malicious code from the network into HPE Aruba access points, mobility controllers, conductors and gateways.
(Image: Erstellt mit KI in Bing Designer durch heise online / dmk)
HPE has published security warnings about vulnerabilities in various network devices of the Aruba subsidiary brand. Attackers can even smuggle malicious code onto vulnerable devices through some security leaks. However, updates to seal the security leaks are available.
According to the first HPE security release, the more serious vulnerabilities affect Aruba Mobility Conductors, Controllers, and Gateways with AOS 10 and AOS 8 operating systems. The authors list the potential impact as execution of arbitrary code from the network, execution of arbitrary commands, downloading of arbitrary files, modification of arbitrary files, cross-site scripting (XSS) and unauthorized execution of arbitrary commands.
HPE Aruba: High-risk security vulnerabilities
A total of four security vulnerabilities are responsible for this. Arbitrary files can be written through the web-based management interface, allowing authenticated users to inject and execute code (CVE-2025-27082, CVSS 7.2, risk “high”). They can also inject commands (CVE-2025-27083, CVSS 7.2, risk “high”). The captive portal of the web-based administration interface also enables cross-site scripting (CVE-2025-27084, CVSS 5.4, risk “medium”). Registered users can also download arbitrary files from vulnerable devices (CVE-2025-27085, CVSS 4.9, “medium” risk).
Videos by heise
HPE provides firmware versions 10.7.1.1, 10.4.1.7, 8.12.0.4 and 8.10.0.16 to patch the vulnerabilities. Older versions are also affected by the vulnerabilities, but they have reached the end of support and will no longer receive updates.
A second security advisory addresses vulnerabilities in HPE Aruba access points. Here too, authenticated attackers can inject commands from the network that are executed (CVE-2025-27078, CVSS 6.5, risk “medium”). They can also create arbitrary files on the devices and thus infiltrate and execute malicious code from the network (CVE-2025-27079, CVSS 6.0, risk “medium”). The firmware versions AOS-10 10.7.0.2, 10.4.1.6 as well as AOS-8 Instant 8.12.0.4 and 8.10.0.16 and newer versions have patched the security-relevant errors.
Last week, HPE had to address security vulnerabilities in the Aruba VPN. The connections with the HPE Aruba Networking Virtual Intranet Access Client could be cracked by attackers.
(dmk)
