Unauthenticated Command Injection via Web UI

Aleph Research Advisory





  • Aruba Instant

Vulnerable Versions

    • Aruba Instant 6.4.x: and below
    • Aruba Instant 6.5.x: and below
    • Aruba Instant 8.3.x: and below
    • Aruba Instant 8.5.x: and below
    • Aruba Instant 8.6.x: and below
    • Aruba Instant 8.7.x: and below

Technical Details

An unauthenticated attacker can execute arbitrary commands on Aruba Instant devices, to be able to exploit this vulnerability the attacker has to put a file with a command in the file name in the HTTP directory.

All the files in the webserver directory are compressed with gzip compression. If a client requests a file without accepting gzip then the webserver will do the uncompression for him and execute gunzip.

The filename parameter is unsanitized and can be used to execute arbitrary commands. An attacker can create a file with CVE-2021-25159 and execute commands.


A simple GET request can trigger this vulnerability after using CVE-2021-25159 and CVE-2021-25156.

Host: IP:4343
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Language: en-US,en;q=0.9


  • 09-Mar-21
    : Public disclosure.
  • 09-Mar-21
    : Patch available.
  • 03-Feb-21
    : CVE-2021-25162 assigned.
  • 22-Nov-20
    : Reported.



External References