CVE-2024-41136

Authenticated Command Injection in HPE Aruba Networking EdgeConnect SD-WAN Command Line Interface

Severity Score

6.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

An authenticated command injection vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN gateways Command Line Interface. Successful exploitation of this vulnerability results in the ability to execute arbitrary commands as a privileged user on the underlying operating system.

*Credits: Daniel Jensen (bugcrowd.com/dozernz)

CVSS Scores

HPEv3.1 6.8

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-07-15 CVE Reserved
2024-07-24 CVE Published
2024-08-02 CVE Updated
2024-08-02 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CAPEC

References (1)

URL	Tag	Source
https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_hpesbnw04673.txt

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Hewlett Packard Enterprise (HPE) Search vendor "Hewlett Packard Enterprise (HPE)"		HPE Aruba Networking EdgeConnect SD-WAN Search vendor "Hewlett Packard Enterprise (HPE)" for product "HPE Aruba Networking EdgeConnect SD-WAN"				<= 9.3.3.0 Search vendor "Hewlett Packard Enterprise (HPE)" for product "HPE Aruba Networking EdgeConnect SD-WAN" and version " <= 9.3.3.0"		en		Affected
Hewlett Packard Enterprise (HPE) Search vendor "Hewlett Packard Enterprise (HPE)"		HPE Aruba Networking EdgeConnect SD-WAN Search vendor "Hewlett Packard Enterprise (HPE)" for product "HPE Aruba Networking EdgeConnect SD-WAN"				<= 9.2.9.0 Search vendor "Hewlett Packard Enterprise (HPE)" for product "HPE Aruba Networking EdgeConnect SD-WAN" and version " <= 9.2.9.0"		en		Affected
Hewlett Packard Enterprise (HPE) Search vendor "Hewlett Packard Enterprise (HPE)"		HPE Aruba Networking EdgeConnect SD-WAN Search vendor "Hewlett Packard Enterprise (HPE)" for product "HPE Aruba Networking EdgeConnect SD-WAN"				<= 9.1.11.0 Search vendor "Hewlett Packard Enterprise (HPE)" for product "HPE Aruba Networking EdgeConnect SD-WAN" and version " <= 9.1.11.0"		en		Affected
Hewlett Packard Enterprise (HPE) Search vendor "Hewlett Packard Enterprise (HPE)"		HPE Aruba Networking EdgeConnect SD-WAN Search vendor "Hewlett Packard Enterprise (HPE)" for product "HPE Aruba Networking EdgeConnect SD-WAN"				<= 9.0.x.x Search vendor "Hewlett Packard Enterprise (HPE)" for product "HPE Aruba Networking EdgeConnect SD-WAN" and version " <= 9.0.x.x"		en		Affected
Hewlett Packard Enterprise (HPE) Search vendor "Hewlett Packard Enterprise (HPE)"		HPE Aruba Networking EdgeConnect SD-WAN Search vendor "Hewlett Packard Enterprise (HPE)" for product "HPE Aruba Networking EdgeConnect SD-WAN"				<= 8.0.x.x Search vendor "Hewlett Packard Enterprise (HPE)" for product "HPE Aruba Networking EdgeConnect SD-WAN" and version " <= 8.0.x.x"		en		Affected