Vulnerability

CERT-In Vulnerability Note CIVN-2025-0336
Multiple Vulnerabilities in HPE Aruba Networking AOS-CX

Original Issue Date:November 21, 2025

Severity Rating: HIGH

Software Affected

HPE Aruba Networking AOS-CX Software Version(s):

AOS-CX 10.16.xxxx: 10.16.1000 and below
AOS-CX 10.15.xxxx: 10.15.1020 and below
AOS-CX 10.14.xxxx: 10.14.1050 and below
AOS-CX 10.13.xxxx: 10.13.1090 and below
AOS-CX 10.10.xxxx: 10.10.1160 and below

Overview

Multiple vulnerabilities have been reported in HPE Aruba Networking AOS-CX that could be exploited by an unauthenticated attacker to Gain Unauthorized Access; Remote: Access Restriction Bypass, Arbitrary Command Execution, Code Execution, Denial of Service (DoS), Disclosure of Sensitive Information, Elevated Privileges, Session Reuse on the targeted system.

Target Audience:
Network Engineers / Administrators, System Administrators / DevOps, Security Operations Center (SOC) / Incident Response, Security Architects.

Risk Assessment
Identity Compromise and Credential Theft.

Impact Assessment:
There are high risks of Confidentiality, Integrity, and Availability.

Description

1. Privilege Escalation Vulnerability ( CVE-2025-37155   )

This Vulnerability exists in the SSH restricted shell interface that fails to enforce proper privilege separation for read-only users. This Vulnerability exploited by an attacker to gain legitimate access to the management interface via SSH with read-only or low-level credentials.
Successful exploitation of this Vulnerability could allow an attacker with read-only access to escalate privileges to administrator access on the affected device.

2. Denial-of-Service (DoS) Vulnerability ( CVE-2025-37156   )

This Vulnerability exists in the AOS-CX software that allows specific administrative code to be executed.
Successful exploitation of this Vulnerability could allow an authenticated administrator to execute code that renders the switch non-bootable and effectively non-functional.

3. Command Injection Vulnerability ( CVE-2025-37157   CVE-2025-37158   )

These Vulnerabilities exist in AOS-CX Operating System due to insufficient input validation or improper command handling.
Successful exploitation of these Vulnerabilities could allow an attacker to execute arbitrary commands on the system.

4. Denial-of-Service (DoS) Vulnerability ( CVE-2025-26466   )

This Vulnerability exists in the OpenSSH package due to improper handling of SSH2_MSG_PING packets during the pre-authentication phase. This Vulnerability exploited by an attacker to send PING packets, causing an uncontrolled increase in memory and CPU consumption on the server side.
Successful exploitation of this Vulnerability could allow an attacker leads to the server crashing or becoming unresponsive, resulting in a denial of service.

5.  Session Hijacking Vulnerability ( CVE-2025-37159   )

This Vulnerability exists in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session.
Successful exploitation of this Vulnerability could allow an attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data.

6. Broken Access Control (BAC) Vulnerability ( CVE-2024-37160   )

This Vulnerability exists in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information.
Successful exploitation of this Vulnerability could enable the attacker to disclose sensitive data.

Solution

Apply appropriate software updates as mentioned by Security vendor
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04971en_us&docLocale=en_US

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04971en_us&docLocale=en_US
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US

CVE Name
CVE-2025-37155
CVE-2025-37156
CVE-2025-37157
CVE-2025-37158
CVE-2025-26466
CVE-2025-37159
CVE-2024-37160

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India