vulnerability
Aruba AOS-10: CVE-2023-51385: Authenticated Remote Command Execution in the InstantOS and ArubaOS 10.x SSH Daemon
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:L/Au:N/C:P/I:P/A:N) | Aug 6, 2024 | Jan 14, 2025 | Apr 2, 2026 |
Severity
6
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Published
Aug 6, 2024
Added
Jan 14, 2025
Modified
Apr 2, 2026
Description
In OpenSSH before 9.6, OS command injection might occur if a user name or host name has shell metacharacters, and this name is referenced by an expansion token in certain situations. For example, an untrusted Git repository can have a submodule with shell metacharacters in a user name or host name. The impact of this vulnerability on InstantOS 8.x and ArubaOS 10.x running on HPE Aruba Networking Access Points has not been confirmed, but the version of OpenSSH has been upgraded for mitigation.
Solution
aruba-aos-10-cve-2023-51385
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.