Aruba AirWave systems need patching against multiple bugs in their control interface.
Posted to Full Disclosure by SEC Consult, there are two problems with the kit: an XML External Entity Injection attack; and a reflected cross-site scripting (XSS) attack.
Both can be exploited remotely.
In CVE-2016-8526, the XML parser used by the AirWave control panel resolves external XML entities, so an attacker can read files and port-scan the internal network by sending commands to the parser.
The advisory adds that files on the AirWave are encrypted using a shared static key, meaning privilege escalation is also feasible.
The bugs are fixed in Aruba AirWave 18.104.22.168, released in late February. ®