"Aruba ClearPass Policy Manager: Multiple 2025 Vulnerabilities (CVE-2025-23058, HPESBNW04784) — NAC Hardening Guide"

ClearPass Policy Manager (CPPM) is the authentication and network access control (NAC) brain for many enterprise, healthcare, and public-sector networks. It decides who and what gets onto the network. When the appliance that enforces your access policy has its own access-control flaws, the blast radius is wide. In February 2025, HPE Aruba Networking published advisory HPESBNW04784 covering five vulnerabilities in CPPM, including an authenticated privilege-escalation issue rated High. This post explains what was disclosed, how serious it is, and exactly what to upgrade to.
What happened
On February 4, 2025 (last revised March 5, 2025), HPE Aruba Networking released security advisory HPESBNW04784 documenting five distinct vulnerabilities in ClearPass Policy Manager. The most significant is CVE-2025-23058, a broken access control flaw in the CPPM web-based management interface that lets a low-privileged, read-only authenticated user gain unauthorized administrative access and escalate privileges.
The remaining four issues range from information disclosure to authenticated command injection, plus an inherited PostgreSQL vulnerability. None require a pre-existing administrator account for the headline issue, but all require some level of authenticated access to the management interface. HPE Aruba Networking released fixed software for both the 6.11.x and 6.12.x branches.
Affected products and versions
All five CVEs in HPESBNW04784 affect HPE Aruba Networking ClearPass Policy Manager. The fix lands in the same two patched releases.
| Product | Affected | Fixed |
|---|---|---|
| ClearPass Policy Manager 6.12.x | 6.12.3 and below | 6.12.4 and above |
| ClearPass Policy Manager 6.11.x | 6.11.9 and below | 6.11.10 and above |
Per the advisory, CPPM branches older than 6.11.x were end of maintenance at the time of publication and did not receive a fix — if you are on an older train, the remediation is to migrate onto a supported, patched branch.
How serious is it
The advisory assigns these CVSS v3.1 base scores (vendor-published):
- CVE-2025-23058 — Authenticated broken access control / privilege escalation in the web management interface. CVSS 8.8 (High). Vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This is the priority fix: low privilege in, full compromise of the policy engine out.
- CVE-2024-7348 — Inherited PostgreSQL
pg_dumprace condition (time-of-check/time-of-use) enabling arbitrary SQL execution as the user running pg_dump. CVSS 7.5 (High) as scored in the advisory. - CVE-2025-23059 — Sensitive information disclosure; the web interface exposes directories with sensitive data to high-privilege authenticated users. CVSS 6.8 (Medium).
- CVE-2025-23060 — Sensitive data exposure; under certain conditions unencrypted sensitive information can be exposed, enabling man-in-the-middle scenarios. CVSS 6.6 (Medium).
- CVE-2025-25039 — Authenticated remote command injection in the web management interface, allowing arbitrary commands on the underlying host. CVSS 4.7 (Medium).
Exploitation status: As of this writing, none of these five CVEs appear in the CISA Known Exploited Vulnerabilities (KEV) catalog, and we have found no public reports of active exploitation or published exploit code. That is good news, but it is not a reason to defer patching. ClearPass is high-value infrastructure, the access-control flaw is straightforward to reason about, and the details are public — the window between disclosure and weaponization for this class of appliance can be short. Treat this as a prompt-patch item, not an emergency-only one.
Am I exposed?
You are in scope if you run ClearPass Policy Manager on 6.12.3-or-below or 6.11.9-or-below. To check quickly:
- Confirm your version. In the CPPM admin UI, go to Administration > Server Manager > Server Configuration, or check the dashboard/support page for the exact build (e.g., 6.11.x or 6.12.x and the point release).
- Inventory every node. ClearPass is typically deployed as a publisher plus one or more subscribers, often across data centers. All nodes run the same software train and all need to be patched.
- Assess management-plane exposure. The most damaging issues are reachable through the web-based management interface. If that interface is reachable from general user VLANs, partner networks, or (worst case) the internet, your real-world risk is higher than the CVSS base score alone suggests.
- Review account hygiene. CVE-2025-23058 is exploitable from a low-privileged, read-only account — audit who holds CPPM operator/read-only credentials.
How to fix it
Patch to a fixed release. This is the definitive remediation:
- 6.12.x branch → upgrade to 6.12.4 or later
- 6.11.x branch → upgrade to 6.11.10 or later
- Older/unsupported branches → migrate to a supported, patched branch
Interim mitigations from the advisory (use only until you can patch, not as a substitute):
- For CVE-2025-23058: temporarily disable read-only (ro) access to ClearPass Policy Manager until the upgrade to the fixed version is complete.
- For the other four CVEs: restrict the web-based management interfaces to a dedicated layer-2 segment/VLAN and/or control access with firewall policies at layer 3 and above. In practice, the CPPM management plane should never be broadly reachable — lock it to a hardened admin network.
After upgrading, patch the publisher and all subscribers, verify cluster health, and confirm the running build reports a fixed version on every node.
How Uniqcli helps
Uniqcli is an authorized HPE, HPE Aruba Networking, and HPE Juniper Networking reseller serving US federal, SLED, healthcare, and enterprise customers. For this advisory we can help you:
- Assess exposure — inventory your ClearPass cluster, identify nodes on affected 6.11.x/6.12.x builds, and review management-plane reachability and read-only account usage.
- Plan and support the upgrade — sequence the publisher/subscriber upgrade to 6.11.10 or 6.12.4, apply interim mitigations safely in the meantime, and validate cluster health afterward.
- Source patched or replacement hardware — if you are on end-of-maintenance hardware or software that cannot reach a fixed branch, we can quote current CPPM appliances or virtual-appliance licensing and refresh paths.
- Procure the right way — TAA-compliant hardware through GSA and SEWP vehicles, with documentation that satisfies federal and SLED acquisition requirements.
If you run ClearPass and want a quick exposure check or an upgrade plan, contact Uniqcli and we will help you close this out.
Sources
- HPE Aruba Networking advisory HPESBNW04784 (CPPM multiple vulnerabilities)
- HPE Aruba Networking CSAF: hpesbnw04784 (machine-readable advisory)
- HPE Aruba Networking advisory HPESBNW04761
- Tenable plugin 215058 — Aruba ClearPass Policy Manager 6.11.x < 6.11.10 / 6.12.x < 6.12.4
- NVD — CVE-2025-25039
- CISA Known Exploited Vulnerabilities Catalog