HPE Aruba Networking Issues Security Updates for ClearPass Policy Manager

HPE Aruba Networking has released security updates to address multiple vulnerabilities in its ClearPass Policy Manager (CPPM) software. The vulnerabilities range in severity from medium to high and could allow attackers to gain unauthorized access to sensitive data, execute arbitrary code, or escalate privileges.

One of the most serious vulnerabilities, CVE-2025-23058, is an authenticated broken access control vulnerability that could allow a low-privileged attacker to gain access to administrative functions. This vulnerability has a CVSS v3.1 base score of 8.8, indicating a high severity level.

Another notable vulnerability, CVE-2024-7348, affects the PostgreSQL component of CPPM and could allow an attacker to execute arbitrary SQL code. This vulnerability has a CVSS v3.1 base score of 7.5, also indicating a high severity level.

The remaining vulnerabilities include sensitive information disclosure (CVE-2025-23059), sensitive data exposure (CVE-2025-23060), and authenticated remote command injection (CVE-2025-25039). These vulnerabilities have CVSS v3.1 base scores ranging from 4.7 to 6.8, indicating medium severity levels.

HPE Aruba Networking strongly recommends that users upgrade their CPPM software to the latest versions to mitigate these vulnerabilities. The patched versions are 6.12.4 and above for the 6.12.x branch, and 6.11.10 and above for the 6.11.x branch.

Organizations using HPE Aruba Networking ClearPass Policy Manager should take the following immediate security actions:

✅ Upgrade to the patched versions (6.12.4+ and 6.11.10+).
✅ Disable read-only access (for CVE-2025-23058).
✅ Restrict management interfaces to a dedicated VLAN or firewall-controlled zone.
✅ Monitor logs for suspicious activity or unauthorized administrative actions.
✅ Apply PostgreSQL security updates if using affected versions.

Rate this post

Leave a Reply Cancel reply

Website

Related Posts:

Leave a Reply Cancel reply