HPE Aruba AirWave Multiple Vulnerabilities Advisory (RCE/Command Injection)

Key Information Summary Vulnerability Title HPESBNW04971 rev.1 - HPE Aruba Networking Management Software (AirWave) Multiple Vulnerabilities Impact Remote: Arbitrary code execution, code execution, denial of service (DoS), unauthorized access to file system, unauthorized write access to files, buffer overflow Source: Hewlett Packard Enterprise, HPE Product Security Response Team Vulnerability Overview HPE Aruba Networking has released a software update for HPE Aruba Networking Management Software (AirWave) to address multiple security vulnerabilities. Affected Products HPE Aruba Networking Management Software (AirWave): - Versions 8.3.0.4 and earlier Vulnerability Details 1. Authenticated Command Injection Vulnerability: - CVE: CVE-2025-37163 - Impact: Command injection vulnerability in the command-line interface, allowing attackers to execute privileged operating system commands. - CVSS v3.1 severity: High 2. Multiple Vulnerabilities in Rsync Daemon: - CVEs: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088, CVE-2024-12747 - Impact: Enable remote code execution, directory traversal, and exposure of sensitive information. - CVSS v3.1 severity: Medium Recommended Actions Upgrade HPE Aruba Networking Management Software (AirWave) to version 8.3.0.5 or later. CVSS Score Table CVSS scores and corresponding V3 vector information for each CVE are listed, such as CVE-2024-12747 with a CVSS v3.1 Base Score of 6.7.

Goal Reached Thanks to every supporter — we hit 100%!

HPE Aruba AirWave Multiple Vulnerabilities Advisory (RCE/Command Injection)