Pre-authentication XXE and HTTP SSRF Vulnerability in ArubaOS 8.13.2 Dismissed as Theoretical Despite Evidence

The post reports a pre-authentication XXE vulnerability on ArubaOS 8.13.2, affecting port 32000 (default XML API) without requiring authentication. The submitter provided evidence, including a TCP packet capture, an sshd log from localhost, and an internal port scan demonstrating SSRF to nine internal ports. The issue was dismissed by the vendor as 'theoretical / no valid PoC,' despite the submitted proof. A full writeup, proof-of-concept (PoC), and packet capture are available on GitHub.