CVE-2023-35972: Authenticated Remote Command Execution in ArubaOS Web-based Management Interface

7.2 CVSS

Description

An authenticated remote command injection vulnerability exists in the ArubaOS web-based management interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system. This allows an attacker to fully compromise the underlying operating system on the device running ArubaOS.

Classification

CVE ID: CVE-2023-35972

CVSS Base Severity: HIGH

CVSS Base Score: 7.2

Affected Products

Vendor: Hewlett Packard Enterprise (HPE)

Product: Aruba Mobility Conductor (formerly Mobility Master); Aruba Mobility Controllers; WLAN Gateways and SD-WAN Gateways managed by Aruba Central

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.08% (probability of being exploited)

EPSS Percentile: 37.39% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-008.txt

Timeline

2024-12-05 00:32:09 UTC
CVE

Authenticated Remote Command Execution in ArubaOS Web-based Management Interface