-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory ============================================= Advisory ID: HPESBNW04958 CVE: CVE-2025-37146, CVE-2025-37147, CVE-2025-37148 Publication Date: 2025-OCT-14 Last Updated: 2025-OCT-15 Status: Confirmed Severity: High Revision: 2 Title ===== HPE Aruba Networking AOS-8 Instant AP and AOS-10 AP Multiple Vulnerabilities Overview ======== HPE Aruba Networking has released patches for Aruba access points running AOS-8 Instant and AOS-10 AP that address multiple security Vulnerabilities. Affected Products ================= HPE Aruba Networking - Access Points running AOS-8 Instant - Access Points running AOS-10 AP Affected Software Version(s): - AOS-10.7.x.x: 10.7.2.0 and below - AOS-10.4.x.x: 10.4.1.8 and below - AOS-8.13.0.0: 8.13.0.1 and below - AOS-8.12.x.x: 8.12.0.5 and below - AOS-8.10.x.x: 8.10.0.18 and below The following software versions that are End of Maintenance (EoM) are affected by these vulnerabilities and are not addressed by this advisory: - AOS-10 AP 10.6.x.x: all - AOS-10 AP 10.5.x.x: all - AOS-10 AP 10.3.x.x: all - AOS-8 Instant 8.11.x.x: all - AOS-8 Instant 8.9.x.x: all - AOS-8 Instant 8.8.x.x: all - AOS-8 Instant 8.7.x.x: all - AOS-8 Instant 8.6.x.x: all - AOS-8 Instant 8.5.x.x: all - AOS-8 Instant 8.4.x.x: all - AOS Instant 6.5.x.x: all - AOS Instant 6.4.x.x: all Unaffected Products ================= HPE Aruba Networking Mobility Conductor, Mobility Controllers, and all Gateways are not affected by these vulnerabilities. HPE Networking Instant On Access Points are also not affected by these vulnerabilities. Any other supported software versions not listed under the Affected Products section of this advisory are not known to be affected by the disclosed vulnerabilities. Details ======== Unauthorized Filesystem Operations in System Firmware allow Authenticated Remote Code Execution (CVE-2025-37146) - ------------------------------------------------------------------------- A vulnerability in the web-based management interface of network access point configuration services could allow an authenticated remote attacker to perform remote command execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. Internal References: ATLWL-558 Severity: High CVSSv3.x Overall Score: 7.2 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by zzcentury from Ubisectech Sirius Team through HPE Aruba Networking's Bug Bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, for APs with local web interfaces HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. [Note: All AOS 10 APs are managed by Central and therefore do not have local web interface enabled] Secure Boot Bypass allows for Compromise of Hardware Root of Trust (CVE-2025-37147) - ------------------------------------------------------------------------- A Secure Boot Bypass Vulnerability exists in affected Access Points that allows an adversary to bypass the hardware root of trust verification in place to ensure only vendor-signed firmware can execute on the device. An adversary can exploit this vulnerability to run modified or custom firmware on affected Access Points. Internal References: ATLWL-525, ATLWL-461 Severity: High CVSS v3.1 Base Score: 7.1 CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N Discovery: This vulnerability was discovered by Nicholas Starke of HPE Aruba Networking SIRT Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends restricting physical access to the device's serial port. Kernel Panic triggered by Modified Ethernet Frames leads to Denial of Service Vulnerability (CVE-2025-37148) - ------------------------------------------------------------------------- A vulnerability in the parsing of ethernet frames in AOS-8 Instant and AOS 10 could allow an unauthenticated remote attacker to conduct a denial of service attack. Successful exploitation could allow an attacker to potentially disrupt network services and require manual intervention to restore functionality. Internal References: ATLWL-520 Severity: Medium CVSS v3.1 Base Score: 6.5 CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered by Colton Bachman and Nicholas Starke of HPE Aruba Networking SIRT. Workaround: None Resolution ========== Upgrade HPE Aruba Networking AOS-8 Instant APs and AOS-10 APs to one of the following software versions (as applicable) to resolve the vulnerabilities described above in the details sections: - AOS-10 AP 10.7.x.x: 10.7.2.1 and above - AOS-10 AP 10.4.x.x: 10.4.1.9 and above - AOS-8 Instant 8.13.x.x: 8.13.1.0 and above - AOS-8 Instant 8.12.x.x: 8.12.0.6 and above - AOS-8 Instant 8.10.x.x: 8.10.0.19 and above HPE Aruba Networking does not evaluate or patch AOS-8 Instant or AOS-10 AP software branches that have reached their End of Maintenance (EoM) milestone. For more information about the HPE Aruba Networking End of Life policy please visit: https://www.hpe.com/psnow/doc/a00143052enw Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - Aruba Networking for assistance if needed. For more information, please visit HPE Aruba Networking Support Portal at https://networkingsupport.hpe.com/home Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2025-OCT-14 / Initial release Revision 2 / 2025-OCT-15 / Corrected Software Versions under Affected Products and Resolution sections HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2025 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmjv/5oXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE661Zgv/Z5BjUrHNAFEB395DQhpcRZ2x LvSGyJ+2l8hsxOIwAS3q8UhC6JUn24RfYJlt8k04h8dvX1J6z8qqY8zMgmuHTeR5 TiOIoWGHJnCGIduHZszp9Jo0dzRoljA+2n8D7ZY/WKnUkiLAFg7JzhpYSZ4yt9LY RznHZdmhRo2WV6AlSlCbVaBfMBu64zvBCg3en4892iDiRcDFu+wIBmU8QxaZRCi/ pDBxI5GN2gJPNgtrm8cUFQrCMBc5OVDGgeKtCwcWwAoAryYXKwBQKERYYn5UwP6p bEHeKhNEkEdPwcm+czyV+6PaUuEGHdLr3sBgTdJMXPpWFMMHINu6ZLodo5tMHIU7 yR1V1u8rG3zHLbGRDa5ZfUkBDuAt9P6Qf41Ip5L3qGRY/C5mZDJIp0Bte48ITNmq fhvFV2xd2LQI9r/MRiomCyDBxG098VY/vQk7TBIJNXLUrGqyJCWmUpwNweQ6FFXZ n8LqVHvxtQ86ONOG46P6y8Q6EBMLqb27DYRnKN40 =v8mX -----END PGP SIGNATURE-----