CVE-2025-37137
📋 TL;DR
This vulnerability allows authenticated remote attackers to delete arbitrary files on Aruba AOS-8 Controller/Mobility Conductor systems through the command-line interface. This affects organizations using these network management devices. Attackers need valid credentials to exploit this flaw.
💻 Affected Systems
- Aruba AOS-8 Controller
- Aruba Mobility Conductor
📦 What is this software?
Arubaos by Arubanetworks
Arubaos by Arubanetworks
Arubaos by Arubanetworks
Arubaos by Arubanetworks
Arubaos by Arubanetworks
⚠️ Risk & Real-World Impact
Worst Case
Critical system files could be deleted, causing complete system failure, service disruption, or enabling further attacks by removing security controls and logs.
Likely Case
Attackers delete configuration files, logs, or application files to disrupt services, hide evidence of compromise, or degrade system functionality.
If Mitigated
With proper access controls and monitoring, impact is limited to files accessible to the authenticated user's privilege level.
🎯 Exploit Status
Requires authenticated access to the CLI. Attack complexity is medium due to needing valid credentials and understanding of the system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: AOS-8 version 8.12.0.0 or later
Vendor Advisory: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04957en_us&docLocale=en_US
Restart Required: No
Instructions:
1. Download AOS-8 version 8.12.0.0 or later from Aruba support portal. 2. Upload the new image to the controller. 3. Activate the new image. 4. Commit the configuration changes.
🔧 Temporary Workarounds
Restrict CLI Access
allLimit CLI access to trusted administrators only using role-based access controls and network segmentation.
🧯 If You Can't Patch
- Implement strict access controls to limit CLI access to essential personnel only.
- Enable comprehensive logging and monitoring of file deletion activities and CLI sessions.
🔍 How to Verify
Check if Vulnerable:
Check the AOS version using 'show version' command. If version is below 8.12.0.0, the system is vulnerable.Check Version:
show versionVerify Fix Applied:
After upgrading, run 'show version' to confirm version is 8.12.0.0 or higher.📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletion events in system logs
- Multiple failed authentication attempts followed by successful CLI login
- CLI session logs showing file deletion commands
Network Indicators:
- Unusual CLI access patterns from unexpected IP addresses
- Increased SSH/Telnet traffic to management interfaces
SIEM Query:
source="aruba_controller" AND (event_type="file_deletion" OR command="rm" OR command="delete")