Cybersecurity Threat Advisory 0028-22: TLStorm 2.0 Vulnerabilities in Aruba and Avaya Network switches

Threat Update

Up to 5 vulnerabilities were uncovered within the use of the TLS protocol in multiple models of the Aruba and Avaya Network switches. These vulnerabilities, if exploited, can provide threat actors remote access to enterprise networks and to transfer confidential data from within the network. Barracuda MSP recommends applying the latest available patches to these devices to mitigate these vulnerabilities 

Technical Detail & Additional Information


According to IoT security firm Armis, the design flaws are said to be traced to a single source: the exploitation of NanoSSL. TLStorm 2.0 can leave Aruba and Avaya network switches vulnerable to remote code execution. Once attackers gain access through remote code execution, they can move laterally across the network, as well as exfiltrate sensitive data. Additionally, these vulnerabilities can potentially allow attackers to break network segmentation, which can open further avenues of compromise.


This new finding comes after a March report that showcased the original TLStorm’s vulnerability, which had the ability to allow an attacker to gain remote code execution and cause physical damage to the switches. Furthermore, it was discovered that TLStorm 2.0 vulnerabilities within Avaya switches are “zero-click”. This means activation of the exploit can be triggered simply by sending unauthenticated network packets that require no input from a user.


According to Armis, “These research findings are significant as they highlight that the network infrastructure itself is at risk and exploitable by attackers, meaning that network segmentation alone is no longer sufficient as a security measure”.  With network segmentation being a common security practice, this vulnerability presents a significant risk, as more secure assets may be accessible when previously would not have been. 


Barracuda MSP recommends that all organizations with Avaya and Aruba appliances deployed in their network to apply the latest patches immediately to harden their security stance and prevent a future attack.

  • The following devices are affected: Avaya ERS3500 Series, ERS3600 Series, ERS4900 Series, and ERS5900 Series as well as Aruba 5400R Series, 3810 Series, 2920 Series, 2930F Series, 2930M Series, 2530 Series, and 2540 Series.

For more in-depth information about the recommendations, please visit the following links:

If you have any questions, please contact our Security Operations Center.

Threat Advisory Sign Up