Hewlett Packard Enterprise (HPE) has disclosed multiple critical vulnerabilities in its Aruba Networking ClearPass Policy Manager (CPPM), a widely used network access control solution.
These flaws, if exploited, could lead to arbitrary code execution, privilege escalation, and sensitive data exposure. Organizations using affected versions are urged to update their systems immediately.
The vulnerabilities identified have been assigned CVEs including CVE-2025-23058, CVE-2024-7348, CVE-2025-23059, CVE-2025-23060, and CVE-2025-25039.
.png
)
The severity levels range from medium to high, with some vulnerabilities scoring as high as 8.8 on the CVSS v3.1 scale.
Overview of the Vulnerabilities
CVE-2025-23058
This is an authenticated broken access control vulnerability in the web-based management interface of CPPM. It allows low-privileged users to execute administrative functions, leading to privilege escalation (CVSS score: 8.8). ING Bank reported this issue.
CVE-2024-7348
A PostgreSQL-related TOCTOU race condition enables attackers to execute arbitrary SQL commands during pg_dump operations (CVSS score: 7.5). This flaw was disclosed by Noah Misch of the PostgreSQL Project.
CVE-2025-23059
This vulnerability exposes directories containing sensitive information through the CPPM interface, allowing remote attackers with high privileges to retrieve critical data (CVSS score: 6.8).
CVE-2025-23060
Under certain conditions, sensitive, unencrypted information may be exposed. The vulnerability enables man-in-the-middle attacks and unauthorized access (CVSS score: 6.6).
CVE-2025-25039
Authenticated remote command injection via the web-based management interface allows attackers to execute arbitrary commands on the host system (CVSS score: 4.7).
This issue was reported by Daniel Jensen through HPE’s Bug Bounty Program.
Affected Software Versions
The vulnerabilities impact ClearPass Policy Manager versions:
- 6.12.x: Up to version 6.12.3
- 6.11.x: Up to version 6.11.9
Versions that have reached their End of Maintenance (EoM) are also affected unless otherwise indicated.
HPE Aruba Networking recommends immediate action to update CPPM to versions 6.12.4 or above for the 6.12.x branch and 6.11.10 or above for the 6.11.x branch.
Temporarily disable read-only user access for CVE-2025-23058 until updates are applied. Limit web-based management interfaces to a dedicated VLAN or control them via firewall policies.
As of February 7, 2025, there is no evidence of public exploits targeting these vulnerabilities.
Given the critical nature of these vulnerabilities, organizations using HPE Aruba Networking ClearPass Policy Manager should prioritize applying patches and implementing recommended mitigations immediately to safeguard their systems from potential exploitation.
PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar
