Vulnerability

CERT-In Vulnerability Note CIVN-2025-0335
Multiple Vulnerabilities in HPE Aruba Products

Original Issue Date:November 21, 2025

Severity Rating: HIGH

Software Affected

Rsync daemon

rsync versions 3.2.7 and 3.3.0

HPE Aruba Networking AOS-CX Software Version(s):

AOS-CX 10.16.xxxx: 10.16.1000 and below
AOS-CX 10.15.xxxx: 10.15.1020 and below
AOS-CX 10.14.xxxx: 10.14.1050 and below
AOS-CX 10.13.xxxx: 10.13.1090 and below
AOS-CX 10.10.xxxx: 10.10.1160 and below

Overview

Multiple vulnerabilities have been reported in Rsync Daemon that could be exploited by an unauthenticated attacker to gain Remote Code Execution, Directory Traversal, and Sensitive Information Disclosure on the targeted system.

Target Audience:
System & Security Administrators,Internet Service Providers (ISPs) & Hosting Providers,DevOps Engineers & IT Professionals,Developers & General Linux/Unix Users.

Risk Assessment:
Critical Remote Code Execution (RCE) flaw that is unauthenticated and remote, combined with multiple client-side attack vectors that could compromise the systems.

Impact Assessment:
There are high risks of Confidentiality, Integrity, and Availability.

Description

The HPE Aruba Networking EdgeConnect SD-WAN Gateways are advanced edge devices designed to deliver secure, high-performance, and intelligent software-defined WAN (SD-WAN) connectivity.

1. Heap-based Buffer Overflow Vulnerability ( CVE-2024-12084   )

A Vulnerability exists in Rsync Daemon due to improper handling of attacker-controlled checksum lengths (s2length).
Successfully exploitation of this vulnerability could allow an attacker can write out of bounds in the sum2 buffer, When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes).

2. Information Disclosure Vulnerability ( CVE-2024-12085   )

A Vulnerability exists in Rsync Daemon which could be triggered when rsync compares file checksums.
Successfully exploitation of this vulnerability could allow an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.

3. Arbitrary File Read Vulnerability ( CVE-2024-12086   )

A Vulnerability exists in Rsync Daemon which could allow a server to enumerate the contents of an arbitrary file from the clients machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server.
Successfully exploitation of this vulnerability could allow an attacker to sending specially constructed checksum values for arbitrary files, may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.

4. Path Traversal Vulnerability ( CVE-2024-12087   )

A Vulnerability exists in Rsync Daemon due to improper handling of symbolic links when the --inc-recursive option is used.
Successfully exploitation of this vulnerability could allow an attacker in malicious server to write files outside of the clients intended destination directory.

5. Path Traversal Bypass Vulnerability ( CVE-2024-12088   )

A Vulnerability exists in Rsync Daemon due to -safe-links option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it.
Successfully exploitation of this vulnerability could allow an attacker lead to arbitrary file write outside the desired directory.

6. Race Condition Vulnerability ( CVE-2024-12747   )

A Vulnerability exists in Rsync Daemon could allow a remote attacker to obtain sensitive information, caused by a race condition in the handling of symbolic links.

Solution

Apply appropriate software updates as mentioned by Security vendor
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04971en_us&docLocale=en_US

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04971en_us&docLocale=en_US
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US

CVE Name
CVE-2024-12084
CVE-2024-12085
CVE-2024-12086
CVE-2024-12087
CVE-2024-12088
CVE-2024-12747

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India