HPE Aruba Issues Security Patches for Network Equipment

Hewlett Packard Enterprise (HPE) has announced critical security updates addressing vulnerabilities in various network devices under its Aruba brand. Attackers could potentially exploit these weaknesses to inject malicious code into affected devices, including access points, mobility controllers, conductors, and gateways.

The more significant vulnerabilities identified primarily affect Aruba Mobility Conductors, Controllers, and Gateways running on AOS-10 and AOS-8 operating systems. The implications of these security loopholes are severe, with potential outcomes including remote execution of arbitrary code, command execution, unauthorized file downloads, file modifications, cross-site scripting (XSS), and unauthorized command execution.

A total of four vulnerabilities have been highlighted in the initial security advisory. The web-based management interface allows authenticated users to write files, enabling them to inject and execute code (CVE-2025-27082, CVSS score 7.2, categorized as 'high risk'). Additionally, it permits the injection of commands (CVE-2025-27083, CVSS score 7.2, also 'high risk'). Furthermore, the captive portal within the web management interface is susceptible to cross-site scripting attacks (CVE-2025-27084, CVSS score 5.4, categorized as 'medium risk'). Authenticated users can also download arbitrary files from vulnerable devices (CVE-2025-27085, CVSS score 4.9, categorized as 'medium risk').

To rectify these issues, HPE has released firmware versions 10.7.1.1, 10.4.1.7, 8.12.0.4, and 8.10.0.16. It is important to note that older versions of the software affected by these vulnerabilities have reached their end of support and will not receive further updates.

In a separate advisory, HPE outlined vulnerabilities in Aruba Access Points, where authenticated attackers can execute commands remotely (CVE-2025-27078, CVSS score 6.5, categorized as 'medium risk'). They can also create arbitrary files on the devices, allowing for code injection and execution (CVE-2025-27079, CVSS score 6.0, categorized as 'medium risk'). Firmware versions AOS-10 10.7.0.2, 10.4.1.6, and AOS-8 Instant 8.12.0.4 and 8.10.0.16 have been released to address these security vulnerabilities.

Last week, HPE addressed security flaws in the VPN functionality of Aruba, which allowed potential breaches via the HPE Aruba Networking Virtual Intranet Access Client.