Vulnerability

CERT-In Vulnerability Note CIVN-2026-0043
Multiple Vulnerabilities in HPE Aruba Networking AOS

Original Issue Date:January 22, 2026

Severity Rating: HIGH

Systems Affected

HPE (Hewlett Packard Enterprise) Aruba Networking Mobility Conductors, Controllers and WLAN and SD-WAN Gateways
HPE AOS (Aruba OS) -10.7.2.1 and below
HPE AOS -10.4.1.9 and below
HPE AOS- 8.13.1.0 and below
HPE AOS -8.10.0.20 and below
All HPE AOS-10.6.x.x versions
All HPE AOS-10.5.x.x versions
All HPE AOS-10.3.x.x versions
All HPE AOS-8.12.x.x versions
All HPE AOS-8.11.x.x versions
All HPE AOS-8.9.x.x versions
All HPE AOS-8.8.x.x versions
All HPE AOS-8.7.x.x versions
All HPE AOS-8.6.x.x versions
All HPE AOS-6.5.4.x versions
All HPE SD-WAN 8.7.0.0-2.3.0.x versions
All HPE SD-WAN 8.6.0.4-2.2.x.x versions

Overview

Multiple Vulnerabilities have been reported in HPE ArubaOS (AOS) which could allow the attacker to execute arbitrary code, command injection, arbitrary file deletion, buffer overflow, Stack overflow and denial of service (DoS) attack on the targeted systems.

Target Audience:
All organizations and individuals using HPE Aruba Networking AOS.

Risk Assessment:
High risks of system compromise and unauthorized access.

Impact Assessment:
Potential impact on confidentiality, integrity and availability of the system.

Description

1. Arbitrary File Deletion Vulnerability ( CVE-2025-37168   )

A vulnerability exists in a system function of mobility conductors running AOS-8 operating system due to missing authorization checks. An attacker could exploit this vulnerability by sending specially crafted request to the system. Successful exploitation of this vulnerability could allow the attacker to delete arbitrary files and cause denial of service (DoS) conditions on affected devices.

2. Stack Overflow Vulnerability ( CVE-2025-37169   )

A vulnerability exists in the AOS-10 web-based management interface of a Mobility Gateway due to a boundary error. An attacker could exploit this vulnerability by sending specially crafted request to the system.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code and trigger a stack based buffer overflow on the targeted system.

3. Command Injection Vulnerability ( CVE-2025-37170   CVE-2025-37171   CVE-2025-37172   )

These vulnerabilities exist in the web based management interface of mobility conductors running AOS-8 operating system due to improper input validation. An attacker could exploit these vulnerabilities by sending specially crafted HTTP request to the system.
Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary commands on the targeted system.

4. Improper Input Handling Vulnerability ( CVE-2025-37173   )

A vulnerability exists in the web based management interface of mobility conductors running either AOS-10 or AOS-8 operating system due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by sending specially crafted input to the system.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code and compromise the affected system.

5. Arbitrary File Write Vulnerability ( CVE-2025-37174   )

A vulnerability exists in the web based management interface of mobility conductors running either AOS-10 or AOS-8 operating system due to insufficient validation of file during file upload.
Successful exploitation of this vulnerability could allow the attacker to create or modify arbitrary files and execute arbitrary commands on the targeted system.

6. Arbitrary File Upload Vulnerability ( CVE-2025-37175   )

A vulnerability exists in the web based management interface of mobility conductors running either AOS-10 or AOS-8 operating system due to insufficient validation of file during file upload.
Successful exploitation of this vulnerability could allow the attacker to upload a malicious file and execute it on the affected system.

7. Command Injection Vulnerability ( CVE-2025-37176   )

A vulnerability exists in AOS-8 due to improper input validation. An attacker could exploit this vulnerability by altering a package header.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary commands on the targeted system.

8. Arbitrary File Deletion Vulnerability ( CVE-2025-37177   )

A vulnerability exists in the command line interface of mobility conductors running either AOS-10 or AOS-8 operating system due to improper input validation.
Successful exploitation of this vulnerability could allow the attacker to delete arbitrary files of the affected system.

9. Out-of-Bounds Read Vulnerability ( CVE-2025-37178   CVE-2025-37179   )

These vulnerabilities exist in a system component responsible for handling certain data buffers due to insufficient validation of maximum buffer size values. An attacker could exploit these vulnerabilities by sending specially crafted data to the system.
Successful exploitation of these vulnerabilities could allow the attacker to perform denial of service attack on the affected system.

Solution

Apply appropriate updates as mentioned in HPE Aruba advisory:
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US

Vendor Information

HPE
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US

References

HPE
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US

CVE Name
CVE-2025-37168
CVE-2025-37169
CVE-2025-37170
CVE-2025-37173
CVE-2025-37174
CVE-2025-37175
CVE-2025-37176
CVE-2025-37177
CVE-2025-37178
CVE-2025-37171
CVE-2025-37172
CVE-2025-37179

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-22902657

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India