CVE-2025-37138
📋 TL;DR
An authenticated command injection vulnerability in AOS-10 GW and AOS-8 Controllers/Mobility Conductor allows attackers with physical access to execute arbitrary commands as privileged users. This affects organizations using these specific hardware controllers. Exploitation requires both authentication credentials and physical access to the device.
💻 Affected Systems
- AOS-10 GW
- AOS-8 Controllers
- Mobility Conductor
📦 What is this software?
Arubaos by Arubanetworks
Arubaos by Arubanetworks
Arubaos by Arubanetworks
Arubaos by Arubanetworks
Arubaos by Arubanetworks
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the controller allowing installation of persistent backdoors, data exfiltration, and lateral movement to connected networks.
Likely Case
Local privilege escalation leading to configuration changes, service disruption, or credential harvesting from the controller.
If Mitigated
Limited impact due to physical access controls preventing unauthorized individuals from reaching the device console.
🎯 Exploit Status
Requires physical access to device console and valid authentication credentials. Command injection occurs through CLI interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check HPE advisory for specific patched versions
Vendor Advisory: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04957en_us&docLocale=en_US
Restart Required: No
Instructions:
1. Review HPE advisory for affected versions. 2. Download appropriate patches from HPE support portal. 3. Apply patches following HPE documentation. 4. Verify patch application.
🔧 Temporary Workarounds
Physical Access Controls
allRestrict physical access to controller hardware to authorized personnel only
CLI Access Restrictions
allImplement strict authentication and authorization policies for CLI access
🧯 If You Can't Patch
- Implement strict physical security controls including locked server rooms, access logs, and surveillance
- Enforce multi-factor authentication and least privilege access for all administrative accounts
🔍 How to Verify
Check if Vulnerable:
Check device version against HPE advisory and verify if running affected AOS versionCheck Version:
show version (or equivalent for specific AOS version)Verify Fix Applied:
Verify patch installation through version check and confirm no command injection via CLI testing📡 Detection & Monitoring
Log Indicators:
- Unusual CLI command execution patterns
- Multiple failed authentication attempts followed by successful login
- Privilege escalation attempts in system logs
Network Indicators:
- Unusual outbound connections from controller after physical access events
SIEM Query:
source="controller_logs" AND (event="command_injection" OR event="privilege_escalation")