Critical Vulnerabilities in ArubaOS

Published on 02 Mar 2023

Aruba Networks has released security updates addressing multiple critical vulnerabilities in its operating system, ArubaOS.

These vulnerabilities are due to command injection flaws (CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750) and stack-based buffer overflow problems (CVE-2023-22751 and CVE-2023-22752) in the PAPI (Aruba Networks access point management protocol).

Successful exploitation of these vulnerabilities could allow a remote and unauthenticated attacker to execute arbitrary code as a privileged user on ArubaOS. This is done by sending a specially crafted packet to the PAPI over UDP port 8211.

The affected versions of ArubaOS, including a few that have reached End of Life (EoL), are as follows:

  • ArubaOS and below
  • ArubaOS and below
  • ArubaOS and below
  • SD-WAN and below
  • ArubaOS 6.5.4.x (EoL)
  • ArubaOS 8.7.x.x (EoL)
  • ArubaOS 8.8.x.x (EoL)
  • ArubaOS 8.9.x.x (EoL)
  • SD-WAN (EoL)

Users and administrators of affected product versions are advised to upgrade to the latest versions immediately. For products which have reached EoL, a workaround is available by enabling the "Enhanced PAPI Security" mode using a non-default key.

More information is available here: