Connect with us

Hi, what are you looking for?



Vulnerabilities in Aruba and Avaya Switches Expose Enterprise Networks to Attacks

Switches used by organizations around the world are affected by critical vulnerabilities that could allow malicious actors to gain remote access to enterprise networks and steal valuable data, according to enterprise device security company Armis.

Switches used by organizations around the world are affected by critical vulnerabilities that could allow malicious actors to gain remote access to enterprise networks and steal valuable data, according to enterprise device security company Armis.

Earlier this year, Armis warned that uninterruptible power supply (UPS) products made by Schneider Electric subsidiary APC are affected by critical vulnerabilities that can be exploited to remotely hack and damage devices.

The root cause of the UPS vulnerabilities, named TLStorm by Armis, was related to the implementation of Mocana’s popular TLS library NanoSSL. Further analysis showed that other vendors also introduced similar vulnerabilities in their products due to misuse of the same TLS library.

Aruba switches affected by TLStorm 2.0 vulnerabilitiesArmis researchers discovered a new round of vulnerabilities, which they have dubbed TLStorm 2.0, in switches made by Extreme Networks-owned Avaya and HPE subsidiary Aruba.

Aruba switches are affected by two types of critical vulnerabilities tracked as CVE-2022-23677 and CVE-2022-23676, while Avaya devices are affected by CVE-2022-29860 and CVE-2022-29861. Each of these vulnerabilities can allow remote code execution (RCE) on the impacted device.

Another RCE vulnerability affecting Avaya devices has not been assigned a CVE identifier due to the fact that it impacts discontinued products, but Armis warned that the vulnerable devices are still in use.

The cybersecurity company has described several theoretical attack scenarios involving these vulnerabilities. One of them is related to captive portals, the web page that users see when trying to access a corporate network or the internet from an airport or a hotel.

An attacker could exploit the TLStorm 2.0 vulnerabilities to abuse a captive portal and achieve arbitrary code execution on a switch without authentication. Once they have control of the switch, the attacker can disable the captive portal and freely access the protected corporate network.

Advertisement. Scroll to continue reading.

Attackers could also exploit the TLStorm 2.0 flaws to take control of a core switch, which enables them to break network segmentation and move laterally on the network.

Exploitation of the vulnerabilities can give an attacker access to sensitive information stored on the targeted network, which they can exfiltrate to remote servers.

The vulnerabilities have been found to affect Avaya ethernet routing switch (ERS) series devices and seven types of switches from Aruba.

The vendors have been notified. Aruba is working on patches and Avaya has already released firmware updates for some of the impacted products. Armis says it’s not aware of any malicious attacks exploiting the vulnerabilities.

*updated to say that Aruba and Avaya are still working on patches

Related: Critical Vulnerability Can Be Exploited to Hack Schneider Electric’s Modicon PLCs

Related: Flaws in Pneumatic Tube System Can Facilitate Cyberattacks on North American Hospitals

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.