-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory ============================================= Advisory ID: HPESBNW04845 CVE: CVE-2025-27082, CVE-2025-27083, CVE-2025-27084, CVE-2025-27085 Publication Date: 2025-APR-08 Status: Confirmed Severity: High Revision: 1 Title ===== HPE Aruba Networking AOS-10 and AOS-8 Mobility Conductor, Controllers, and Gateways - Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released AOS-10 GW and AOS-8 patches for Mobility Conductors, Controllers and Gateways to address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - Mobility Conductor - Mobility Controllers - WLAN and SD-WAN Gateways Managed by HPE Aruba Networking Central Affected Software Version(s): - AOS-10.7.x.x: 10.7.1.0 and below - AOS-10.4.x.x: 10.4.1.6 and below - AOS-8.12.x.x: 8.12.0.3 and below - AOS-8.10.x.x: 8.10.0.15 and below The following software versions that are End of Maintenance (EoM) are affected by these vulnerabilities and are not addressed by this advisory: - AOS-10.6.x.x: all - AOS-10.5.x.x: all - AOS-10.3.x.x: all - AOS-8.11.x.x: all - AOS-8.9.x.x: all - AOS-8.8.x.x: all - AOS-8.7.x.x: all - AOS-8.6.x.x: all - AOS-6.5.4.x: all - SD-WAN 8.7.0.0-2.3.0.x: all - SD-WAN 8.6.0.4-2.2.x.x: all Unaffected Products ================= Any other HPE Aruba Networking products and software versions not specifically listed above are not affected by these vulnerabilities. Details ======== Authenticated Remote Code Execution Vulnerabilities in AOS-10 GW and AOS-8 Controller/Mobility Conductor Web-Based Management Interface via Arbitrary File Write (CVE-2025-27082) - ---------------------------------------------------------------- Arbitrary File Write vulnerabilities exist in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an Authenticated attacker to upload arbitrary files and execute arbitrary commands on the underlying host operating system. Internal References: ATLWL-511, ATLWL-510, ATLWL-509, ATLWL-506, ATLWL-505, ATLWL-504, ATLWL-502 Severity: High CVSS v3.1 Base Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by ZZ from Moonlight Bug Hunter and LIUPENG via HPE Aruba Networking's bug bounty program. Workaround: For AOS-10 GWs, deny access to TCP port 4343 from any network to the Management IP address of the Gateway. For systems running AOS-8 there is no workaround. Authenticated Command Injection Vulnerabilities in AOS-10 GW and AOS-8 Controller/Mobility Conductor Web-Based Management Interface (CVE-2025-27083) - ---------------------------------------------------------------- Authenticated command injection vulnerabilities exist in the AOS-10 GW and AOS-8 Controller/Mobility Conductor web-based management interface. Successful exploitation of these vulnerabilities allows an Authenticated attacker to execute arbitrary commands as a privileged user on the underlying operating system. Internal References: ATLWL-514, ATLWL-513, ATLWL-512 ATLWL-501 Severity: High CVSS v3.1 Base Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by ZZ from Moonlight Bug Hunter and LIUPENG via HPE Aruba Networking's bug bounty program. Workaround: For AOS-10 GWs, deny access to TCP port 4343 from any network to the Management IP address of the Gateway. For systems running AOS-8 there is no workaround. Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal (CP) of an AOS-10 GW and AOS-8 Controller/Mobility Conductor Web-based Management Interface (CVE-2025-27084) - ---------------------------------------------------------------- A vulnerability in the Captive Portal of an AOS-10 GW and AOS-8 Controller/Mobility Conductor could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack. Successful exploitation could enable the attacker to execute arbitrary script code in the victim's browser within the context of the affected interface. Internal References: ATLWL-486 Severity: Medium CVSS v3.1 Base Score: 5.4 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Discovery: This vulnerability was discovered and reported by an HPE Aruba Networking customer. Workaround: None. Arbitrary File Download Vulnerabilities in Web-Based Management Interface of AOS-10 GW and AOS-8 Controller/Mobility Conductor (CVE-2025-27085) - ---------------------------------------------------------------- Multiple vulnerabilities exist in the web-based management interface of AOS-10 GW and AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated, remote attacker to download arbitrary files from the filesystem of an affected device. Internal References: ATLWL-507, ATLWL-500, ATLWL-499, ATLWL-498 Severity: Medium CVSS v3.1 Base Score: 4.9 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by ZZ from Moonlight Bug Hunter and LIUPENG via HPE Aruba Networking's bug bounty program. Workaround: For AOS-10 GWs, deny access to TCP port 4343 from any network to the Management IP address of the Gateway. For systems running AOS-8 there is no workaround. Resolution ========== Upgrade Mobility Conductors, Controllers, and Gateways to one of the following AOS-10 or AOS-8 versions (as applicable) to resolve the vulnerability described in the details section: - AOS-10.7.x.x: 10.7.1.1 and above - AOS-10.4.x.x: 10.4.1.7 and above - AOS-8.12.x.x: 8.12.0.4 and above - AOS-8.10.x.x: 8.10.0.16 and above Software versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/downloads;fileTypes=SOFTWARE HPE Aruba Networking does not evaluate or patch AOS-10 GW and AOS-8 Controller/Mobility Conductor software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking's End of Life policy visit: https://www.hpe.com/psnow/doc/a00143052enw Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - Aruba Networking for assistance if needed. For more information, please visit HPE Aruba Networking Support Portal at https://networkingsupport.hpe.com/home Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2025-APR-08 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2025 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmf1Nm0XHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE67jywwAnCABHQ6OUuzytFzvGZ5ZQUZE 2HHL9lMdHZT2fj0SguFpIEhIKY1/dWdMiZuBB89iRz1bd/xCUg0N6Vemaf+XJZtm 7uAi3ZLDQhZup7RCmyDkILVz2R+WRUyFOgjvgQw08M8IPSuQ5JIvujRLLuQ2LS/w FsmUyZkvhq2XFrCA8chdkMXxcYitg0Bv8eY1s1ybdGOjkS3XxEsm0YRWhATR8oZF bhZd+NF21H1Jdi16DuZ5C5MejzASJvLyx9z/67dqMtcTKj86E60i7mdTwv39lc2l z5EW1I51S260Hhsgt94orkCUq7tmenvQetovtVPMipBhlBAYD87mmz2uAZ56RNbX IadyWkG+KhlxXIDRAyAi8ONzBdgzuseA1J2EGPEN4c0E+NtN9qYSJAvby62JFXP3 iV1Rv1cRoQtjogHzdkTDbySvjJkYamErbq3cyUPUvoAcmuMsks4fUCZjJZhLU+j8 nWguqyaJ4RTkmav2+MLC96SrP7QNMWbfilCtJShC =FaQG -----END PGP SIGNATURE-----