CVE-2021-25157
Description
A remote arbitrary file read vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.6 and below; Aruba Instant 8.7.x: 8.7.1.0 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote arbitrary file read vulnerability in Aruba Instant Access Points allows unauthenticated attackers to read sensitive files.
Vulnerability
A remote arbitrary file read vulnerability exists in Aruba Instant Access Point (IAP) products. The affected versions include Aruba Instant 6.4.x (6.4.4.8-4.2.4.17 and below), 6.5.x (6.5.4.18 and below), 8.3.x (8.3.0.14 and below), 8.5.x (8.5.0.11 and below), 8.6.x (8.6.0.6 and below), and 8.7.x (8.7.1.0 and below). The vulnerability allows an attacker to read arbitrary files on the affected device over the network.
Exploitation
An attacker can exploit this vulnerability remotely without requiring authentication. The attacker sends a specially crafted request to the vulnerable IAP device, leveraging the file read flaw to access files outside of the intended web root. No user interaction or special network position beyond network access to the management interface is required.
Impact
Successful exploitation permits an unauthenticated attacker to read arbitrary files from the underlying operating system. This can include sensitive configuration files, credentials, encryption keys, or other confidential data, leading to information disclosure that may facilitate further attacks or compromise of the network.
Mitigation
Aruba has released software patches to address this vulnerability. Administrators should upgrade to the following fixed versions or later: Instant 6.4.4.8-4.2.4.18, Instant 6.5.4.19, Instant 8.3.0.15, Instant 8.5.0.12, Instant 8.6.0.7, and Instant 8.7.1.1. If immediate patching is not possible, restricting network access to the management interface to trusted hosts is recommended. This CVE is not listed on the Known Exploited Vulnerabilities (KEV) catalog as of this writing.
[1]
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Aruba/Instant Access Point (IAP)description
- Range: Aruba Instant 6.4.x <= 6.4.4.8-4.2.4.17; 6.5.x <= 6.5.4.18; 8.3.x <= 8.3.0.14; 8.5.x <= 8.5.0.11; 8.6.x <= 8.6.0.6; 8.7.x <= 8.7.1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3- packetstormsecurity.com/files/163522/Aruba-Instant-IAP-Remote-Code-Execution.htmlmitrex_refsource_MISC
- cert-portal.siemens.com/productcert/pdf/ssa-723417.pdfmitrex_refsource_CONFIRM
- www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-007.txtmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.