CVE-2026-44852

⚠️ high

Summary

An authenticated remote code execution vulnerability exists in the AOS-8 and AOS-10 web-based management interface. A vulnerability in the certificate download functionality could allow an authenticated remote attacker to overwrite arbitrary files on the underlying operating system by exploiting improper input validation in the file path parameter. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system as a privileged user.

CVSS Score

7.2

High

EPSS Score

0.1

Exploit Probability

Published Date

2026-05-12

First Seen: 2026-05-17

📊 Relative Risk Intelligence

This CVE is Moderate Risk - more severe than 55.6% of all 321,566 vulnerabilities in our database.

#142,887

Above average severity

Severity Percentile

🎯 CISA SSVC Assessment Updated: May 13, 2026

🔍 Exploitation Status

None

No known exploits

⚙️ Automatable

Requires human interaction

💥 Technical Impact

Total

Complete system compromise possible

🏆 Discovered By

zzcentury (reporter)

SSVC data provided by CISA

Last Modified 2026-05-15

Source NVD 🔗

CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE IDs (Weakness Types)

CWE-296

📦 Affected Products 7

Vendor	Product	Status	Affected Versions
arubanetworks	arubaos	Affected	> 10.4.0.0 < 10.4.1.11
arubanetworks	arubaos	Affected	> 10.5.0.0 < 10.7.2.3
arubanetworks	arubaos	Affected	> 6.5.4.0 < 8.10.0.22
arubanetworks	arubaos	Affected	> 8.11.0.0 < 8.12.0.7
arubanetworks	arubaos	Affected	> 8.13.0.0 < 8.13.1.2
arubanetworks	sd-wan	Affected	> 8.6.0.4-2.2.0.0 < 8.6.0.4-2.2.0.7
arubanetworks	sd-wan	Affected	> 8.7.0.0-2.3.0.0 < 8.7.0.0-2.3.0.9

🔗 References 1

https://support.hpe.com/hpesc/public/docDisplay?docI...

Vendor Advisory

🔗 Related CVEs 6

CVE ID	Severity	CVSS	EPSS	Summary	Published
CVE-2026-23824	⚠️ high	7.5	0.0	Vulnerabilities exist in a protocol-handling component of AOS-8 and AOS-10 Operating Systems. An unauthenticated attacke...	2026-05-12
CVE-2026-23825	⚠️ high	7.5	0.1	Vulnerabilities exist in a protocol-handling component of AOS-8 and AOS-10 Operating Systems. An unauthenticated attacke...	2026-05-12
CVE-2026-23826	⚠️ high	7.5	0.1	A vulnerability in a network management service of AOS-8 Operating System could allow an unauthenticated remote attacker...	2026-05-12
CVE-2026-23827	⚠️ high	7.5	0.1	A heap-based buffer overflow vulnerability exists in a Network management service of AOS-8 and AOS-10 that could allow a...	2026-05-12
CVE-2026-44853	⚠️ high	7.2	0.2	Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Suc...	2026-05-12
CVE-2026-44854	⚠️ high	7.2	0.2	Command injection vulnerabilities exist in the web-based management interface of AOS-8 and AOS-10 Operating Systems. Suc...	2026-05-12

These CVEs affect the same products