Cyber Resilience

CVE-2024-33511

Critical

Published: 01 May 2024

Published
01 May 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2285 96.0th percentile
Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-33511 is a critical-severity Stack-based Buffer Overflow (CWE-121) vulnerability in Arubanetworks (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 4.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-33511 is a buffer overflow vulnerability in the Automatic Reporting service of Aruba networking products. The flaw resides in the handling of Aruba's PAPI access-point management protocol and is reachable on UDP port 8211. Successful exploitation grants an attacker the ability to run arbitrary code with elevated privileges on the underlying operating system.

An unauthenticated remote attacker can exploit the issue by sending specially crafted PAPI packets to the affected UDP port. No authentication or user interaction is required, and the CVSS 9.8 score reflects that the attack can be carried out over the network with low complexity, resulting in full confidentiality, integrity, and availability impact.

Aruba has published advisory ARUBA-PSA-2024-004.txt that addresses the vulnerability. The EPSS score for this CVE has remained steady at 0.2285 with no material increase observed after disclosure.

EU & UK References

Vulnerability details

There is a buffer overflow vulnerability in the underlying Automatic Reporting service that could lead to unauthenticated remote code execution by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211). Successful exploitation of…

more

this vulnerability results in the ability to execute arbitrary code as a privileged user on the underlying operating system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Arubanetworks
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References