Cyber Resilience

CVE-2026-44860

High

Published: 12 May 2026

Published
12 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 11.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44860 is a high-severity SQL Injection (CWE-89) vulnerability in Arubanetworks Arubaos. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

SQL injection vulnerabilities exist in several underlying service components accessible through the AOS-8 and AOS-10 command-line interface and management protocol. An authenticated attacker with administrative privileges could exploit these vulnerabilities by injecting crafted input into parameters that are passed unsanitized…

more

to backend database queries. Successful exploitation could allow the attacker to execute arbitrary commands on the underlying operating system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Why these techniques?

SQL injection in management CLI/protocol directly enables remote OS command execution (T1190 for exploitation of the interface; T1059.008 for resulting CLI-based command execution).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-44862Same product: Arubanetworks Arubaos
CVE-2026-44863Same product: Arubanetworks Arubaos
CVE-2026-44861Same product: Arubanetworks Arubaos
CVE-2026-44864Same product: Arubanetworks Arubaos
CVE-2026-23827Same product: Arubanetworks Arubaos
CVE-2026-44852Same product: Arubanetworks Arubaos
CVE-2026-44854Same product: Arubanetworks Arubaos
CVE-2026-44871Same product: Arubanetworks Arubaos
CVE-2026-44870Same product: Arubanetworks Arubaos
CVE-2026-44869Same product: Arubanetworks Arubaos

Affected Assets

arubanetworks
arubaos
6.5.4.0 — 8.10.0.22 · 8.11.0.0 — 8.12.0.7 · 8.13.0.0 — 8.13.1.2
arubanetworks
sd-wan
8.6.0.4-2.2.0.0 — 8.6.0.4-2.2.0.7 · 8.7.0.0-2.3.0.0 — 8.7.0.0-2.3.0.9

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References