vulnerability

Aruba AOS-10: CVE-2023-51385: Authenticated Remote Command Execution in the InstantOS and ArubaOS 10.x SSH Daemon

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
6	(AV:N/AC:L/Au:N/C:P/I:P/A:N)	Aug 6, 2024	Jan 14, 2025	Jul 2, 2025

Severity

CVSS

(AV:N/AC:L/Au:N/C:P/I:P/A:N)

Published

Aug 6, 2024

Added

Jan 14, 2025

Modified

Jul 2, 2025

Description

In OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. The impact of this vulnerability on InstantOS 8.x and ArubaOS 10.x running on HPE Aruba Networking Access Points has not been confirmed, but the version of OpenSSH has been upgraded for mitigation.

Solution

aruba-aos-10-cve-2023-51385

References

CVE-2023-51385
https://attackerkb.com/topics/CVE-2023-51385
URL-https://csaf.arubanetworks.com/2024/hpe_aruba_networking_-_hpesbnw04678.json
CWE-78

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today