-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory =============================== Advisory ID: HPESBNW04883 CVE: CVE-2025-37100 Publication Date: 2025-Jun-10 Status: Confirmed Severity: High Revision: 1 Title ===== Exposure of Sensitive Information to an Unauthorized User in HPE Aruba Networking Private 5G Core Overview ======== HPE Aruba Networking has released a software update for the HPE Aruba Networking Private 5G Core Platform that addresses exposure of sensitive information to unauthorized actors. Affected Products ================= These vulnerabilities affect the following HPE Aruba Networking Private 5G Core software version unless specifically noted otherwise in the details section: - HPE Aruba Networking Private 5G Core between 1.24.1.0 and 1.25.1.0 included Unaffected Products =================== Any other HPE Aruba Networking products not specifically listed above are not affected by these vulnerabilities. Details ======= Exposure of Sensitive Information to an Unauthorized User in HPE Aruba Networking Private 5G Core (CVE-2025-37100) --------------------------------------------------------------------- A vulnerability in the APIs of HPE Aruba Networking Private 5G Core could potentially expose sensitive information to unauthorized users. A successful exploitation could allow an attacker to iteratively navigate through the filesystem and ultimately download protected system files containing sensitive information. Internal Reference: PSA-499 Severity: High CVSSv3 Overall Score: 7.7 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N Discovery: This vulnerability was discovered during internal penetration testing by HPE Aruba Networking. Resolution ========== To resolve the vulnerability described above, it is recommended to upgrade the software to the following version: - HPE Aruba Networking Private 5G Core 1.25.1.1 and above HPE Aruba Networking does not evaluate or patch HPE Aruba Networking Private 5G Core Software versions that have reached their End of Support (EoS) milestone. For more information about HPE Aruba Networking Product Lifecycle and versioning policy, please visit: https://www.hpe.com/psnow/doc/4aa5-5978enw?jumpid=in_pdfviewer-psnow Workaround ========== Disable the "Terminal" service. 1. On the upper bar of the GUI, click on System > Services. 2. Toggle the "Terminal" service to disabled or click on the square button to stop the service. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting this specific vulnerability as of the release date of the advisory. Revision History ================ Revision 1 / 2025-Jun-10 / Initial release HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt@hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2025 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmhDQX0XHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE64gOgv+LkNY8cSfybUJPcwkEKKrtVv1 6WLCeZG/N1XyuAOKi77ZXH6dbW03VR4VLAybtEbnnuGpbJglF8PMy8zs8QEH3S+r ZFXppX/Dwc2Bd1YGKBLjxQyNODuYtw3aAWwQD3Uhmhd7TIIQFMsujSAESaOsl5HV gRHdlPloBXaHIYTbh2ohHhPIe6Y4E/CaxJ2x39oE+IAasjb0IBJ/FIShnvJtNekk BuH+S4H+BNMdaYPmza2P+dKFC/uFPvyNpKqmNjVrysY6bVuAPpgeBgXkFPSuld8h 1/5lyzBIzCvdCYuxVAez4QGSQRH4EBSTx5xX5XASH/NJEwZp2TiV4popSsbJA8ew xnq9Tg/2jlrQehw+gWHLPxhOYkLCPh62GKB5OWpNsekAhznetdE9MR5nhMWWGnVw WupEv51m6n29mTzMInBtmgui3DhIlBvMcWiX/ieTuxWjpMKjw1HjYg1I1E5AWLZD qprXbZUy16+NTt3QFq8Gdo+crSU3FcKE7sC4JFMM =Y0fP -----END PGP SIGNATURE-----