Unrated severityNVD Advisory· Published Mar 30, 2021· Updated Aug 3, 2024

CVE-2021-25162

Description

A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba Instant 8.7.x: 8.7.1.1 and below. Aruba has released patches for Aruba Instant that address this security vulnerability.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A remote code execution vulnerability in Aruba Instant IAP allows unauthenticated attackers to execute arbitrary commands on affected devices.

Vulnerability

A remote execution of arbitrary commands vulnerability exists in the Aruba Instant Access Point (IAP) software. Affected versions include Aruba Instant 6.4.x (6.4.4.8-4.2.4.17 and below), 6.5.x (6.5.4.18 and below), 8.3.x (8.3.0.14 and below), 8.5.x (8.5.0.11 and below), 8.6.x (8.6.0.7 and below), and 8.7.x (8.7.1.1 and below) [1]. The vulnerability can be exploited remotely without authentication.

Exploitation

An attacker can exploit this vulnerability by sending specially crafted packets to the vulnerable IAP device over the network [1]. No authentication or user interaction is required. The attacker needs network connectivity to the targeted IAP.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary commands on the affected Aruba Instant IAP device with elevated privileges [1]. This can lead to full compromise of the device, including information disclosure and potential lateral movement within the network.

Mitigation

Aruba has released patches for the affected Aruba Instant versions [1]. Users should upgrade to the following fixed versions: Instant 8.7.1.2 or later, Instant 8.6.0.8 or later, Instant 8.5.0.12 or later, Instant 8.3.0.15 or later, Instant 6.5.4.19 or later, and Instant 6.4.4.8-4.2.4.18 or later. No workaround is disclosed in the available references.

References

Packet Storm

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Aruba/Instant Access Pointdescription
Arubanetworks/Instant (IAP)llm-fuzzy
Range: <=6.4.4.8-4.2.4.17 (6.4.x); <=6.5.4.18 (6.5.x); <=8.3.0.14 (8.3.x); <=8.5.0.11 (8.5.x); <=8.6.0.7 (8.6.x); <=8.7.1.1 (8.7.x)

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstormsecurity.com/files/163522/Aruba-Instant-IAP-Remote-Code-Execution.htmlmitrex_refsource_MISC
cert-portal.siemens.com/productcert/pdf/ssa-723417.pdfmitrex_refsource_CONFIRM
www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-007.txtmitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.029
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000