"Aruba AOS-8 / AOS-10 CVE-2024-42509 & CVE-2024-47460: Unauthenticated PAPI RCE on Access Points"

On November 5, 2024, HPE Aruba Networking published advisory HPESBNW04722, disclosing six vulnerabilities in the software that runs its access points. Two of them — CVE-2024-42509 and CVE-2024-47460 — are critical, unauthenticated command-injection flaws that can lead to remote code execution (RCE) as a privileged user. This post walks through what the advisory actually says, who is affected, and the exact steps to remediate.
What happened
Both CVE-2024-42509 and CVE-2024-47460 are command-injection vulnerabilities in the underlying command-line interface (CLI) service used by Aruba access points. According to HPE Aruba Networking, an attacker can exploit them by sending specially crafted packets to the PAPI protocol — Aruba's access point management protocol — over UDP port 8211. Successful exploitation allows arbitrary code execution as a privileged user on the device's underlying operating system, with no authentication required.
Because PAPI is the protocol Aruba APs use to talk to controllers, conductors, and each other, any AP that has UDP/8211 reachable from an untrusted network is a potential target. The same advisory also covers four lower-severity, authenticated issues (CVE-2024-47461 through CVE-2024-47464), but the two unauthenticated RCEs are the ones that warrant urgent attention.
Affected products and versions
The flaws affect access points running Instant AOS-8 and AOS-10 software. The version data below is drawn directly from HPESBNW04722.
| Product / Branch | Affected | Fixed |
|---|---|---|
| AOS-10.4.x.x | 10.4.1.4 and below | 10.4.1.5 and above |
| AOS-10.7.x.x | (general availability) | 10.7.0.0 and above |
| Instant AOS-8.12.x.x | 8.12.0.2 and below | 8.12.0.3 and above |
| Instant AOS-8.10.x.x | 8.10.0.13 and below | 8.10.0.14 and above |
Several older branches are end of maintenance and will not receive a patch, including AOS-10.6.x.x, AOS-10.5.x.x, AOS-10.3.x.x, Instant AOS-8.11.x.x down through 8.4.x.x, and Instant AOS-6.5.x.x / 6.4.x.x. Devices on those branches must be upgraded to a supported, fixed release rather than patched in place.
How serious is it
The advisory assigns the following CVSS v3.1 base scores:
- CVE-2024-42509 — CVSS 9.8 (Critical), unauthenticated command injection in the CLI service.
- CVE-2024-47460 — CVSS 9.0 (Critical), unauthenticated command injection in the CLI service.
Both are network-exploitable, require no authentication, and result in privileged code execution — the combination that drives the near-maximum scores. As of the sources reviewed for this post, neither CVE has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, and there are no confirmed reports of exploitation in the wild. That should be read as "not yet," not "not a concern": access points are an attractive foothold, the flaws are unauthenticated, and the technical details are public. We will treat that status as current to the sources cited and recommend patching on the assumption that exploitation tooling can follow disclosure quickly.
Am I exposed?
You are likely in scope if all of the following are true:
- You operate HPE Aruba Networking access points running Instant AOS-8 or AOS-10.
- Your firmware is at or below the affected versions in the table above — or on an end-of-maintenance branch.
- UDP port 8211 (PAPI) is reachable from any network you do not fully trust. The highest-risk cases are APs with management exposed beyond a dedicated, controlled segment.
Aruba controllers/gateways and AOS-CX switches are not the subject of this particular advisory; it is specifically about access point software. If you are unsure which branch your APs are running, check the firmware version in Aruba Central, your Mobility Conductor, or directly on the device, and compare it against the table.
How to fix it
1. Patch to a fixed release. Upgrade affected access points to one of the resolved versions:
- AOS-10: 10.4.1.5 or later, or 10.7.0.0 or later.
- Instant AOS-8: 8.12.0.3 or later, or 8.10.0.14 or later.
For AOS-10 fleets managed through Aruba Central, schedule the firmware upgrade through Central; for Instant AOS-8 clusters, plan a maintenance window because the AP cluster will reboot.
2. Apply interim mitigations if you cannot patch immediately. HPE Aruba Networking's recommended workarounds differ by platform:
- Instant AOS-8: Enable cluster security with the
cluster-securitycommand. The advisory states this prevents exploitation of the unauthenticated CLI-service flaws. - AOS-10: The cluster-security control is not available, so block access to UDP port 8211 from all untrusted networks (for example, at upstream firewalls and ACLs).
3. Replace what cannot be patched. If your APs are on an end-of-maintenance branch with no fix, the only durable remediation is to move to a supported release — which, for older hardware, may mean a hardware refresh.
As a general hardening practice that limits this and similar PAPI-based attacks, keep access point and controller management traffic on a dedicated, segmented VLAN and never expose it to user, guest, or internet-facing networks.
How Uniqcli helps
Uniqcli is an authorized HPE, HPE Aruba Networking, and HPE Juniper Networking reseller, and we help organizations close out advisories like this end to end:
- Assess exposure. We can help you inventory your Aruba access point fleet, identify which units sit on affected or end-of-maintenance branches, and confirm where PAPI/UDP 8211 is reachable.
- Source patched or replacement hardware. For APs that cannot be brought to a supported, fixed release, we can quote and supply current Aruba Wi-Fi hardware on a timeline that fits your maintenance window.
- Support the upgrade. We can coordinate firmware planning and segmentation guidance so the rollout to fixed versions goes cleanly.
- Compliant procurement. For federal, SLED, and healthcare buyers, we transact through the contract vehicles you already use — including TAA-compliant, GSA, and SEWP procurement paths.
If you want a quick exposure check against HPESBNW04722, reach out and we will help you scope it.
Sources
- HPE Aruba Networking Security Advisory HPESBNW04722
- HPE Aruba Networking CSAF advisory (HPESBNW04722) — machine-readable detail
- BleepingComputer: HPE Aruba Networking fixes three critical RCE flaws impacting its access points
- Arctic Wolf: CVE-2024-42509, CVE-2024-47460 — Critical RCE Vulnerabilities Impacting HPE Aruba Networking Access Points
- The Hacker News: HPE Issues Critical Security Patches for Aruba Access Point Vulnerabilities