-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

HPE Aruba Networking Product Security Advisory
=============================================
Advisory ID: HPESBNW04957
CVE: CVE-2025-37132, CVE-2025-37133, CVE-2025-37134,  
     CVE-2025-37135, CVE-2025-37136, CVE-2025-37137, 
     CVE-2025-37138, CVE-2025-37139, CVE-2025-37140,  
     CVE-2025-37141, CVE-2025-37142, CVE-2025-37143,
     CVE-2025-37144, CVE-2025-37145
Publication Date: 2025-Oct-14
Status: Confirmed
Severity: High
Revision: 1


Title
=====
HPE Aruba Networking AOS-10 and AOS-8 Mobility Conductor, 
Controllers, and Gateways - Multiple Vulnerabilities


Overview
========
HPE Aruba Networking has released AOS-10 GW and AOS-8 patches 
for Mobility Conductors, Controllers and Gateways to address 
multiple security vulnerabilities.
 

Affected Products
=================
HPE Aruba Networking 
   - Mobility Conductor 
   - Mobility Controllers
   - WLAN and SD-WAN Gateways Managed by HPE Aruba Networking 
     Central
 
Affected Software Version(s):
  - AOS-10.7.x.x: 10.7.2.0 and below
  - AOS-10.4.x.x: 10.4.1.8 and below
  - AOS-8.13.x.x: 8.13.0.1 and below
  - AOS-8.12.x.x: 8.12.0.5 and below
  - AOS-8.10.x.x: 8.10.0.18 and below
 
The following software versions that are End of Maintenance (EoM)
are affected by these vulnerabilities and are not addressed by
this advisory:

    - AOS-10.6.x.x: all
    - AOS-10.5.x.x: all
    - AOS-10.3.x.x: all
    - AOS-8.11.x.x: all
    - AOS-8.9.x.x: all
    - AOS-8.8.x.x: all
    - AOS-8.7.x.x: all
    - AOS-8.6.x.x: all
    - AOS-6.5.4.x: all
    - SD-WAN 8.7.0.0-2.3.0.x: all
    - SD-WAN 8.6.0.4-2.2.x.x: all


Unaffected Products
=================
Any other HPE Aruba Networking products and software versions 
not specifically listed above are not affected by these 
vulnerabilities.


Details
========
Authenticated Remote Code Execution Vulnerability in AOS-10 GW 
and AOS-8 Controller/Mobility Conductor Web-Based Management 
Interface via Arbitrary File Write
(CVE-2025-37132)
- - -----------------------------------------------------------------
 
  An arbitrary file write vulnerability exists in the web-based 
  management interface of both the AOS-10 GW and AOS-8
  Controller/Mobility Conductor operating systems. Successful 
  exploitation could allow an authenticated malicious actor to 
  upload arbitrary files and execute arbitrary commands on 
  the underlying operating system.
  
  Internal References: ATLWL-537, ATLWL-536, ATLWL-533 
  Severity: High
  CVSSv3.1 Base Score: 7.2
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  
  Discovery: This vulnerability was discovered and reported by 
  zzcentury from Ubisectech Sirius Team through HPE Aruba 
  Networking's bug bounty program.
  
  Workaround: To minimize the likelihood of an attacker 
  exploiting this vulnerability, HPE Aruba Networking recommends 
  that the CLI and web-based management interfaces be restricted 
  to a dedicated layer 2 segment/VLAN and/or controlled by 
  firewall policies at layer 3 and above, along with accounting
  controls for tracking and logging user activities and resource 
  usage.

Authenticated Command Injection Vulnerability in AOS-8 
Controller/Mobility Conductor Web-Based Management Interface via 
the CLI Binary
(CVE-2025-37133)
- - -----------------------------------------------------------------
 
  An authenticated command injection vulnerability exists in the 
  CLI binary of an AOS-8 Controller/Mobility Conductor operating 
  system. Successful exploitation could allow an authenticated 
  malicious actor to execute arbitrary commands as a privileged 
  user on the underlying operating system.
  
  Internal References: ATLWL-529, ATLWL-528 
  Severity: High
  CVSSv3.1 Base Score: 7.2
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  
  Discovery: This vulnerability was discovered and reported by 
  zzcentury from Ubisectech Sirius Team through HPE Aruba 
  Networking's bug bounty program.
  
  Workaround: To minimize the likelihood of an attacker 
  exploiting this vulnerability, HPE Aruba Networking recommends 
  that the CLI and web-based management interfaces be restricted 
  to a dedicated layer 2 segment/VLAN and/or controlled by 
  firewall policies at layer 3 and above, along with accounting
  controls for tracking and logging user activities and resource 
  usage.

Authenticated Command Injection Vulnerability in the Low-Level 
Interface Library Affecting AOS-10 GW and AOS-8 Controller/Mobility 
Conductor Web-Based Management Interface
(CVE-2025-37134)
- - -----------------------------------------------------------------
 
  An authenticated command injection vulnerability exists in the 
  Low-level interface library of an AOS-10 GW and AOS-8 
  Controller/Mobility Conductor web-based management interface. 
  Successful exploitation could allow an authenticated malicious 
  actor to execute arbitrary commands as privileged user on the 
  underlying operating system.
  
  Internal References: ATLWL-544 
  Severity: High
  CVSSv3.1 Base Score: 7.2
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  
  Discovery: This vulnerability was discovered and reported by 
  zzcentury from Ubisectech Sirius Team through HPE Aruba 
  Networking's bug bounty program.
  
  Workaround: To minimize the likelihood of an attacker 
  exploiting this vulnerability, HPE Aruba Networking recommends 
  that the CLI and web-based management interfaces be restricted 
  to a dedicated layer 2 segment/VLAN and/or controlled by 
  firewall policies at layer 3 and above, along with accounting
  controls for tracking and logging user activities and resource 
  usage.

Authenticated Arbitrary File Deletion Vulnerabilities in AOS-8 
Controller/Mobility Conductor Command Line Interface (CLI)
(CVE-2025-37135, CVE-2025-37136, CVE-2025-37137)
- - -----------------------------------------------------------------
 
  Arbitrary file deletion vulnerabilities have been identified 
  in the command-line interface of an AOS-8 Controller/Mobility 
  Conductor. Successful exploitation of these vulnerabilities
  could allow an authenticated remote malicious actor to delete 
  arbitrary files within the affected system.
  
  Internal References: ATLWL-535, ATLWL-530, ATLWL-527
  Severity: Medium
  CVSSv3.1 Base Score: 6.5
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
  
  Discovery: These vulnerabilities were discovered and reported 
  by zzcentury from Ubisectech Sirius Team and LIUPENG through 
  HPE Aruba Networking's bug bounty program.
  
  Workaround: To minimize the likelihood of an attacker 
  exploiting this vulnerability, HPE Aruba Networking recommends 
  that the CLI and web-based management interfaces be restricted 
  to a dedicated layer 2 segment/VLAN and/or controlled by 
  firewall policies at layer 3 and above, along with accounting
  controls for tracking and logging user activities and resource 
  usage.

Authenticated Command Injection Vulnerability in CLI Binary of 
AOS-10 GW and AOS-8 Controller/Mobility Conductor 
Web-Based Management Interface (Physical Access Required)
(CVE-2025-37138)
- - -----------------------------------------------------------------
 
  An authenticated command injection vulnerability exists in the 
  command line interface binary of AOS-10 GW and AOS-8 
  Controllers/Mobility Conductor operating system. Exploitation 
  of this vulnerability requires physical access to the hardware 
  controllers. A successful attack could allow an authenticated 
  malicious actor with physical access to execute arbitrary 
  commands as a privileged user on the underlying operating 
  system.
  
  Internal References: ATLWL-539 
  Severity: Medium
  CVSSv3.1 Base Score: 6.2
  CVSSv3.1 Vector: CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
  
  Discovery: This vulnerability was discovered and reported by 
  LIUPENG through HPE Aruba Networking's bug bounty program.
  
  Workaround: To minimize the likelihood of an attacker exploiting 
  this vulnerability, HPE Aruba Networking recommends that only 
  authorized personnel have physical access to the affected 
  devices. 

Vulnerability in AOS firmware allows for Authenticated Local 
malicious actor to Permanently Disable Boot 
(CVE-2025-37139) 
- - ---------------------------------------------------------------- 
 
  A vulnerability in an AOS firmware binary allows an 
  authenticated malicious actor to permanently delete necessary 
  boot information. Successful exploitation may render the 
  system unbootable, resulting in a Denial of Service that can 
  only be resolved by replacing the affected hardware. 
 
  Internal References: ATLWL-518
  Severity: Medium
  CVSSv3.1 Base Score: 6.0
  CVSSv3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
 
  Discovery: This vulnerability was discovered by Nicholas 
  Starke of HPE Aruba Networking SIRT.

  Workaround: To minimize the likelihood of an attacker 
  exploiting this vulnerability, HPE Aruba Networking recommends 
  that the CLI and web-based management interfaces be restricted 
  to a dedicated layer 2 segment/VLAN and/or controlled by 
  firewall policies at layer 3 and above, along with accounting
  controls for tracking and logging user activities and resource 
  usage.

Authenticated Arbitrary File Download Vulnerabilities in CLI 
Binary of AOS-8 Controller/Mobility Conductor Web-Based 
Management Interface 
(CVE-2025-37140, CVE-2025-37141, CVE-2025-37142)
- - -----------------------------------------------------------------
 
  Arbitrary file download vulnerabilities exist in the CLI 
  binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor 
  operating systems. Successful exploitation could allow an 
  authenticated malicious actor to download arbitrary files 
  through carefully constructed exploits.
  
  Internal References: ATLWL-547, ATLWL-534, ATLWL-526
  Severity: Medium
  CVSSv3.1 Base Score: 4.9
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
  
  Discovery: These vulnerabilities were discovered and 
  reported by zzcentury from Ubisectech Sirius Team through HPE 
  Aruba Networking's bug bounty program.
  
  Workaround: To minimize the likelihood of an attacker 
  exploiting this vulnerability, HPE Aruba Networking recommends 
  that the CLI and web-based management interfaces be restricted 
  to a dedicated layer 2 segment/VLAN and/or controlled by 
  firewall policies at layer 3 and above, along with accounting
  controls for tracking and logging user activities and resource 
  usage.

Authenticated Arbitrary File Download Vulnerability in CLI 
Binary of AOS-10 GW and AOS-8 Controller/Mobility 
Conductor Web Interface (Physical Access Required) 
(CVE-2025-37143)
- - -----------------------------------------------------------------
 
  An arbitrary file download vulnerability exists in the 
  web-based management interface of AOS-10 GW and AOS-8
  Controller/Mobility Conductor operating systems. Successful 
  exploitation could allow an Authenticated malicious actor to 
  download arbitrary files through carefully constructed 
  exploits.
  
  Internal References: ATLWL-541, ATLWL-538
  Severity: Medium
  CVSSv3.1 Base Score: 4.9
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
  
  Discovery: This vulnerability was discovered and reported by 
  LIUPENG through HPE Aruba Networking's bug bounty program.
  
  Workaround: To minimize the likelihood of an attacker 
  exploiting this vulnerability, HPE Aruba Networking recommends 
  that only authorized personnel have physical access to the 
  affected devices.

Authenticated Arbitrary File Download Vulnerabilities in a 
Low-Level Interface Library Affecting AOS-10 GW and AOS-8 
Controller/Mobility Conductor Web-Based Management Interface 
(CVE-2025-37144, CVE-2025-37145)
- - -----------------------------------------------------------------
 
  Arbitrary file download vulnerabilities exist in a low-level 
  interface library in AOS-10 GW and AOS-8 Controller/Mobility 
  Conductor operating systems. Successful exploitation could 
  allow an authenticated malicious actor to download arbitrary 
  files through carefully constructed exploits.
  
  Internal References: ATLWL-545, ATLWL-540
  Severity: Medium
  CVSSv3.1 Base Score: 4.9
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
  
  Discovery: This vulnerability was discovered and reported by 
  zzcentury from Ubisectech Sirius Team through HPE Aruba 
  Networking's bug bounty program.
  
  Workaround: To minimize the likelihood of an attacker 
  exploiting this vulnerability, HPE Aruba Networking recommends 
  that the CLI and web-based management interfaces be restricted 
  to a dedicated layer 2 segment/VLAN and/or controlled by 
  firewall policies at layer 3 and above, along with accounting
  controls for tracking and logging user activities and resource 
  usage.


Resolution
==========
Upgrade Mobility Conductors, Controllers, and Gateways to one of 
the following AOS-10 or AOS-8 versions (as applicable) to resolve 
the vulnerabilities described in the details section:
 
  - AOS-10.7.x.x: 10.7.2.1 and above
  - AOS-10.4.x.x: 10.4.1.9 and above
  - AOS-8.13.x.x: 8.13.1.0 and above
  - AOS-8.12.x.x: 8.12.0.6 and above
  - AOS-8.10.x.x: 8.10.0.19 and above
 
Software versions with resolution/fixes for the vulnerabilities 
covered above can be downloaded from the HPE Networking 
Support Portal at 
https://networkingsupport.hpe.com/downloads;fileTypes=SOFTWARE

HPE Aruba Networking does not evaluate or patch AOS-10 GW and
AOS-8 Controller/Mobility Conductor software branches that have 
reached their End of Maintenance (EoM) milestone. For more 
information about HPE Aruba Networking's End of Life policy 
visit: https://www.hpe.com/psnow/doc/a00143052enw


Workaround
==========
Vulnerability specific workarounds are listed per vulnerability
above. You may contact HPE Services - Aruba Networking for
assistance if needed.
For more information, please visit HPE Aruba Networking Support 
Portal at https://networkingsupport.hpe.com/home
 
 
Exploitation and Public Discussion
==================================
HPE Aruba Networking is not aware of any public discussion 
or exploit code targeting these specific vulnerabilities as of 
the release date of the advisory.
 
 
Revision History
================
Revision 1 / 2025-Oct-14 / Initial release
 
 
HPE Aruba Networking SIRT Security Procedures
==============================
Complete information on reporting security vulnerabilities in
HPE Aruba Networking products and obtaining assistance with
security incidents is available at:
 
https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us
 
For reporting *NEW* HPE Aruba Networking security issues, email
can be sent to aruba-sirt(at)hpe.com. For sensitive information
we encourage the use of PGP encryption. Our public keys can be
found at:
 
https://www.hpe.com/info/psrt-pgp-key
 
(c) Copyright 2025 by Hewlett Packard Enterprise Development LP.
This advisory may be redistributed freely after the release date
given at the top of the text, provided that the redistributed
copies are complete and unmodified, including all data and
version information

-----BEGIN PGP SIGNATURE-----

iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmjuxcUXHHNlY3VyaXR5
LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE64BHAv+OlRJ4dHQuzSd4lIlQMk7KQUD
XanaaQymQLbJ+SlTv+PQ25/gXoRYUdzE/U5//zqucqWiDv/xJErL6MK8aYVx5YI5
unUhOrcck9slURiFfxWwto1zmQzgpwowcHR2X7kpHYfjxBBOEHnc4PN9nYVNf0eo
5fX/By4hHzdiR5QXdXGN2kIFr/ZtSQyO0WjPfML/CCIICGl7C/2Vw5uf/eI0lBI/
GR9tzgj7q38KsMvFRU8/ceKR7/ST9GPyG1MJLNsatcTxmjFKLWI6j7Kn9NRMqALt
xks6zRQJSg8duqjaZel5pVvxXK/rkqSGyIi+30fw7OBhNqrv44hHU9TMebBiSis9
0iueNpgSdvpOA5c0qjxK35iLNBFwY+WO/qPfXU+N/FA5/66MDe/OPjK8nG10jAyS
qbxW3K/6BYqBdmbhfL/nat4CKCeXMBfAgK2Xfe3vl2Y5QU/ZcJTwqGszDSCN86UI
jdRZsV27mHkQXA5mJf6CLUncHVlxXCuClVZBMPi0
=I5g8
-----END PGP SIGNATURE-----