Critical Vulnerabilities in ArubaOS

Published on 02 Mar 2023 | Updated on 02 Mar 2023

Aruba Networks has released security updates addressing multiple critical vulnerabilities in its operating system, ArubaOS.

These vulnerabilities are due to command injection flaws (CVE-2023-22747, CVE-2023-22748, CVE-2023-22749, and CVE-2023-22750) and stack-based buffer overflow problems (CVE-2023-22751 and CVE-2023-22752) in the PAPI (Aruba Networks access point management protocol).

Successful exploitation of these vulnerabilities could allow a remote and unauthenticated attacker to execute arbitrary code as a privileged user on ArubaOS. This is done by sending a specially crafted packet to the PAPI over UDP port 8211.

The affected versions of ArubaOS, including a few that have reached End of Life (EoL), are as follows:

  • ArubaOS and below
  • ArubaOS and below
  • ArubaOS and below
  • SD-WAN and below
  • ArubaOS 6.5.4.x (EoL)
  • ArubaOS 8.7.x.x (EoL)
  • ArubaOS 8.8.x.x (EoL)
  • ArubaOS 8.9.x.x (EoL)
  • SD-WAN (EoL)

Users and administrators of affected product versions are advised to upgrade to the latest versions immediately. For products which have reached EoL, a workaround is available by enabling the "Enhanced PAPI Security" mode using a non-default key.

More information is available here: