CVE-2021-25156
Description
A remote arbitrary directory create vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.6 and below; Aruba Instant 8.7.x: 8.7.1.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote attacker can create arbitrary directories on vulnerable Aruba Instant Access Point (IAP) devices, enabling further compromise.
Vulnerability
A remote arbitrary directory creation vulnerability exists in multiple versions of Aruba Instant Access Point (IAP) software. Affected versions include Aruba Instant 6.4.x (6.4.4.8-4.2.4.17 and below), 6.5.x (6.5.4.18 and below), 8.3.x (8.3.0.14 and below), 8.5.x (8.5.0.11 and below), 8.6.x (8.6.0.6 and below), and 8.7.x (8.7.1.0 and below). The vulnerability (CVE-2021-25156) allows an unauthenticated remote attacker to create directories on the device's filesystem without proper authorization [1]. No special configuration is required for the vulnerable code path to be reachable.
Exploitation
An attacker can exploit this vulnerability over the network without requiring authentication or any prior access to the device. The attack does not require user interaction or a specific race window. By sending specially crafted requests to the affected IAP, the attacker can create directories at arbitrary locations on the filesystem. Detailed exploit techniques have been publicly disclosed [1].
Impact
Successful exploitation enables the attacker to create arbitrary directories on the device. While this vulnerability alone does not directly lead to arbitrary code execution, it can be combined with other flaws (such as CVE-2021-25155) to achieve remote code execution (RCE) with root privileges, giving the attacker full control over the affected access point [1]. The initial impact is to disrupt device integrity and potentially facilitate more severe attacks on the network.
Mitigation
Aruba has released patches for all affected versions. Users should upgrade their Aruba Instant firmware to the following fixed versions or later: 6.4.4.8-4.2.4.18 (if still supported), 6.5.4.19, 8.3.0.15, 8.5.0.12, 8.6.0.7, or 8.7.1.1 [1]. No workarounds have been disclosed. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. Users should apply patches as soon as possible.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Aruba/Instant Access Point (IAP)description
- Range: multiple specific versions: Aruba Instant 6.4.x: ≤6.4.4.8-4.2.4.17; 6.5.x: ≤6.5.4.18; 8.3.x: ≤8.3.0.14; 8.5.x: ≤8.5.0.11; 8.6.x: ≤8.6.0.6; 8.7.x: ≤8.7.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3- packetstormsecurity.com/files/163522/Aruba-Instant-IAP-Remote-Code-Execution.htmlmitrex_refsource_MISC
- cert-portal.siemens.com/productcert/pdf/ssa-723417.pdfmitrex_refsource_CONFIRM
- www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-007.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.