CVE-2025-37138
BaseFortify
Publication date: 2025-10-14
Last updated on: 2025-11-12
Assigner: Hewlett Packard Enterprise (HPE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| arubanetworks | arubaos | From 8.10.0.0 (inc) to 8.10.0.19 (exc) |
| arubanetworks | arubaos | From 8.12.0.0 (inc) to 8.12.0.6 (exc) |
| arubanetworks | arubaos | From 8.13.0.0 (inc) to 8.13.1.0 (exc) |
| arubanetworks | arubaos | From 10.4.0.0 (inc) to 10.4.1.9 (exc) |
| arubanetworks | arubaos | From 10.7.0.0 (inc) to 10.7.2.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an authenticated command injection flaw in the command line interface binary of AOS-10 GW and AOS-8 Controllers/Mobility Conductor operating system. It requires an attacker to have physical access to the hardware controllers and be authenticated. If exploited, the attacker can execute arbitrary commands with privileged user rights on the underlying operating system.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow a malicious authenticated user with physical access to the device to execute arbitrary commands as a privileged user. This could lead to unauthorized control over the system, potentially compromising confidentiality, integrity, and availability of the affected device and its data.