Overview

HPE Telco Intelligent Assurance and HPE Aruba Networking are affected by critical vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute remote code.

Description

HPE Telco Intelligent Assurance and HPE Aruba Networking products are affected by vulnerabilities tracked as CVE-2022-1471, CVE-2025-24813, and CVE-2024-3596 with CVSS scores of 9.8 and 9.0. The vulnerabilities result from the inability of the Constructor() class to restrict types that can be instantiated during deserialization, sending malicious YAML content being deserialized by the constructor, and a weakness in radius that allows a man-in-the-middle to forge a valid Access-Accept response to a client request. The vulnerabilities allow a remote attacker to perform remote code execution and access sensitive network resources without authentication.

Impact

Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.

Solution

HP has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04940en_us&docLocale=en_US
• 2. https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04662en_us&docLocale=en_US