Updates have been issued by Hewlett Packard Enterprise to fix six security flaws affecting its Aruba Networking Access Point offerings, including a pair of critical unauthenticated command injection bugs within the CLI Service, tracked as CVE-2024-42509 and CVE-2024-47460, which could be leveraged for arbitrary code execution, according to The Hacker News.
Immediate patching of the severe vulnerabilities in impacted Aruba Network products, including AOS-10.4.x.x: 10.4.1.4 and below, Instant AOS-8.12.x.x: 8.12.0.2 and below, and Instant AOS-8.10.x.x: 8.10.0.13 and below, has been urged by Arctic Wolf researchers despite lack of evidence suggesting active exploitation. "...[T]hreat actors may attempt to reverse-engineer the patches to exploit unpatched systems in the near future," said Arctic Wolf. HPE has also addressed the high-severity Instant AOS-8 and AOS-10 arbitrary remote command execution flaw, tracked as CVE-2024-47461, a pair of high-severity arbitrary file creation bugs, tracked as CVE-2024-47462 and CVE-2024-47463, and a medium severity authenticated path traversal issue, tracked as CVE-2024-47464.