-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory ============================================= Advisory ID: HPESBNW04987 CVE: CVE-2025-37168, CVE-2025-37169, CVE-2025-37170, CVE-2025-37171, CVE-2025-37172, CVE-2025-37173, CVE-2025-37174, CVE-2025-37175, CVE-2025-37176, CVE-2025-37177, CVE-2025-37178, CVE-2025-37179 Publication Date: 2026-Jan-13 Last Updated: 2026-Jan-27 Status: Confirmed Severity: High Revision: 2 Title ===== Multiple Vulnerabilities in HPE Aruba Networking AOS-8 and AOS-10 for Mobility Conductors, Controllers, and Gateways. Overview ======== HPE Aruba Networking has released AOS-8 and AOS-10 patches for Mobility Conductors, Controllers and Gateways to address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking - Mobility Conductors - Mobility Controllers - WLAN and SD-WAN Gateways Managed by HPE Aruba Networking Central Affected Software Version(s): - AOS-10.7.x.x: 10.7.2.1 and below - AOS-10.4.x.x: 10.4.1.9 and below - AOS-8.13.x.x: 8.13.1.0 and below - AOS-8.10.x.x: 8.10.0.20 and below The following software versions that are End of Maintenance (EoM) are affected by these vulnerabilities and are not addressed by this advisory: - AOS-10.6.x.x: all - AOS-10.5.x.x: all - AOS-10.3.x.x: all - AOS-8.12.x.x:all - AOS-8.11.x.x: all - AOS-8.9.x.x: all - AOS-8.8.x.x: all - AOS-8.7.x.x: all - AOS-8.6.x.x: all - AOS-6.5.4.x: all - SD-WAN 8.7.0.0-2.3.0.x: all - SD-WAN 8.6.0.4-2.2.x.x: all Unaffected Products ================= Any other HPE Aruba Networking products and software versions not specifically listed above are not affected by these vulnerabilities. Details ======== Unauthenticated Arbitrary File Deletion Vulnerability in AOS-8 Operating System (CVE-2025-37168) - - - - ------------------------------------------------------------------------ Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary files within the affected system and potentially result in denial-of-service conditions on affected devices. Internal References: VULN-123 Severity: High CVSS v3.1 Base Score: 8.2 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L Discovery: These vulnerabilities were discovered by n3k and reported through HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Stack Overflow Vulnerability in AOS-10 Web-Based Management Interface (CVE-2025-37169) - - - - ------------------------------------------------------------------------ A stack overflow vulnerability exists in the AOS-10 web-based management interface of a Mobility Gateway. Successful exploitation could allow an authenticated malicious actor to execute arbitrary code as a privileged user on the underlying operating system. Internal References: VULN-87 Severity: High CVSS v3.1 Base Score: 7.2 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by zzcentury from Ubisectech Sirius Team and reported through HPE Aruba Networking's bug bounty program. Note: Only AOS-10.x is impacted. Mobility Gateways running the AOS-8.x software branch are not affected by this vulnerability. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Authenticated Command Injection Vulnerabilities in AOS-8 Web-Based Management Interface (CVE-2025-37170, CVE-2025-37171, CCVE-2025-37172) - - - - ------------------------------------------------------------------------ Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system. Internal References: VULN-141, VULN-139, VULN-129 Severity: High CVSS v3.1 Base Score: 7.2 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by zzcentury from Ubisectech Sirius Team and reported through HPE Aruba Networking's bug bounty program. Note: Only AOS-8.x is impacted. Mobility Gateways running the AOS-10.x software branch are not affected by this vulnerability. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Improper Input Handling Vulnerability in Authenticated Configuration API Endpoint (AOS-10/AOS-8 Web UI) (CVE-2025-37173) - - - - ------------------------------------------------------------------------ An improper input handling vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor with valid credentials to trigger unintended behavior on the affected system. Internal References: VULN-140 Severity: High CVSS v3.1 Base Score: 7.2 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by moonv and reported through HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Authenticated Arbitrary File Write Vulnerability in AOS 10 and AOS-8 Web-Based Management Interface (CVE-2025-37174) - - - - ------------------------------------------------------------------------ Authenticated arbitrary file write vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to create or modify arbitrary files and execute arbitrary commands as a privileged user on the underlying operating system. Internal References: VULN-79 Severity: High CVSS v3.1 Base Score: 7.2 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by zzcentury from Ubisectech Sirius Team and reported through HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Authenticated Arbitrary File Upload Vulnerability in AOS-10 or AOS-8 Web-Based Management Interface (CVE-2025-37175) - - - - ------------------------------------------------------------------------ Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary commands on the underlying operating system. Internal References: VULN-75 Severity: High CVSS v3.1 Base Score: 7.2 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by zzcentury from Ubisectech Sirius Team and reported through HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Authenticated Command Injection Vulnerability in an AOS-8 operating system's internal workflow (CVE-2025-37176) - - - - ------------------------------------------------------------------------ A command injection vulnerability in AOS-8 allows an authenticated privileged user to alter a package header to inject shell commands, potentially affecting the execution of internal operations. Successful exploit could allow an authenticated malicious actor to execute commands with the privileges of the impacted mechanism. Internal References: VULN-73, VULN-72 Severity: Medium CVSS v3.1 Base Score: 6.5 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N Discovery: This vulnerability was discovered by erikdejong and reported through HPE Aruba Networking's bug bounty program. Note: Only AOS-8.x is impacted. Mobility Gateways running the AOS-10.x software branch are not affected by this vulnerability. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Authenticated Arbitrary File Deletion Vulnerability in AOS-10 or AOS-8 Command Line Interface (CLI) (CVE-2025-37177) - - - - ------------------------------------------------------------------------ An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system. Internal References: VULN-104 Severity: Medium CVSS v3.1 Base Score: 6.5 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H Discovery: This vulnerability was discovered by LIUPENG and reported through HPE Aruba Networking's bug bounty program. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Out-of-Bounds Read Vulnerabilities Leading to Process Crash (CVE-2025-37178, CVE-2025-37179) - - - - ------------------------------------------------------------------------ Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential denial-of-service of the compromised process. Internal References: VULN-143, VULN-88 Severity: Medium CVSS v3.1 Base Score: 5.3 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Discovery: These vulnerabilities were discovered by n3k and m0omo0d, and reported through HPE Aruba Networking's bug bounty program. Note: AOS-8.x is impacted. Mobility Gateways running the AOS-10.x software branch might also be affected by these vulnerabilities. Resolution: Engineering is actively working on a permanent fix for these issues. Until the update is released, we strongly encourage users to apply the provided workaround as a mitigation measure. This advisory will be updated promptly once the fix becomes available. Workaround: To minimize the likelihood of an attacker exploiting this vulnerability, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above, along with accounting controls for tracking and logging user activities and resource usage. Resolution ========== With the exception of CVE-2025-37178 and CVE-2025-37179, the remaining vulnerabilities are resolved by upgrading Mobility Conductors, Controllers, and Gateways to one of the AOS-8 or AOS-10 versions listed below (as applicable). This upgrade remediates the vulnerabilities described in the Details section. - AOS-10.7.x.x: 10.7.2.2 and above - AOS-10.4.x.x: 10.4.1.10 and above - AOS-8.13.x.x: 8.13.1.1 and above - AOS-8.10.x.x: 8.10.0.21 and above Software versions with resolution/fixes for the vulnerabilities covered above can be downloaded from the HPE Networking Support Portal at https://networkingsupport.hpe.com/downloads;fileTypes=SOFTWARE HPE Aruba Networking does not evaluate or patch AOS-10 GW and AOS-8 Controller/Mobility Conductor software branches that have reached their End of Maintenance (EoM) milestone. For more information about HPE Aruba Networking's End of Life policy visit: https://www.hpe.com/psnow/doc/a00143052enw Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - Aruba Networking for assistance if needed. For more information, please visit HPE Aruba Networking Support Portal at https://networkingsupport.hpe.com/home Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2026-Jan-13 / Initial release Revision 2 / 2026-Jan-27 / Updated CVE-2025-37178 and CVE-2025-37179 Details block and Resolution section. HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://www.hpe.com/support/security-response-policy For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2026 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmly5OUXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE65oggv/UANDfqLFoK+cF8T7Svo25lUJ tAWuUInr+JN3lLqQFnKI+FMgjj1FJs6yq4yVlVL387LfuUk76fgf5CaNRXQhm55F gk/bw9DV37y+AilcRsWBnA/BCEDUc6NtSzA++Z/SgRbscLiCp7ypqWW1hWdJSYQd JubTm/WLEDAOFduhhZshQfFi1r/EeNHb8YrUcnymajyZZzCSnDvZOtaHAcRAITPB ITs4MWlPhjzLLLdT2qb4HWcB2GXb1NBM/Q3FpvS89zSFeLdXLo6EpPr4R30dBKWT ZDzccbuZQ5kjdpUQ04P4o+p4mZUhfsTvoNCePj+Rf2pURwNBD7GsIQ6gzYx7d/55 Xr94sKIri7x983nuKGgJLTY35cMHzmHNemzZ0/EMSS8Xve05nP0UUC86HPWh5rL3 +/djaE2qRgxxT1j8HjFU/8tiK5REcpRUjurkwal6nRNkSFjeG1Ol2axlFS774IrI /qzuBg8puyrJlAP+vwimXJ+SBIilxuy20QEleutd =4hiw -----END PGP SIGNATURE-----