Description

There is a command injection vulnerability in the underlying deauthentication service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's Access Point management protocol) UDP port (8211). Successful exploitation of this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

Classification

CVE ID: CVE-2024-31473

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor: Hewlett Packard Enterprise (HPE)

Product: Aruba InstantOS and Aruba Access Points running ArubaOS 10

Exploit Prediction Scoring System (EPSS)

EPSS Score: 1.33% (probability of being exploited)

EPSS Percentile: 78.23% (scored less or equal to compared to others)

EPSS Date: 2025-04-11 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: total

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2024-31473
https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2024-006.txt

Timeline