On 5 November 2024, Hewlett Packard Enterprise (HPE), the parent company of Aruba Networks, released a security bulletin addressing two critical-severity vulnerabilities affecting Aruba Networks Access Points. These vulnerabilities, identified as CVE-2024-42509 and CVE-2024-47460, could allow unauthenticated command injection. Exploitation is possible by sending specially crafted packets destined to the PAPI (Aruba’s Access Point management protocol) UDP port (8211), potentially leading to privileged Remote Code Execution (RCE).
Arctic Wolf has not observed exploitation of these vulnerabilities, nor identified any publicly available proof of concept (PoC) exploit code. Although Aruba Network access points have not previously been reported as exploited in the wild, they are an attractive target for threat actors due to the potential access these vulnerabilities could provide through privileged user RCE. Additionally, threat actors may attempt to reverse-engineer the patches to exploit unpatched systems in the near future.
Recommendation for CVE-2024-42509 and CVE-2024-47460
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| Aruba Access Points |
|
|
|
|
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
Workaround(s)
For users unable to apply the patch, HPE has offered the following workarounds:
- For devices running Instant AOS-8: Enabling cluster security via the cluster-security command will prevent this vulnerability from being exploited.
- For devices running AOS-10: Since cluster-security is not available, block access to UDP port 8211 from all untrusted networks.
