Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2025-37177 (GCVE-0-2025-37177)
Vulnerability from cvelistv5 – Published: 2026-01-13 20:08 – Updated: 2026-01-13 20:54
VLAI
EPSS
Title
Authenticated Arbitrary File Deletion Vulnerability in AOS-10 or AOS-8 Command Line Interface (CLI)
Summary
An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.
Severity
6.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-552 - Files or Directories Accessible to External Parties
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | ArubaOS (AOS) |
Affected:
10.6.0.0 , ≤ 10.7.2.1
(semver)
Affected: 10.3.0.0 , ≤ 10.4.1.9 (semver) Affected: 8.12.0.0 , ≤ 8.13.1.0 (semver) Affected: 8.10.0.0 , ≤ 8.10.0.20 (semver) |
Credits
LIUPENG
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37177",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T20:54:11.185125Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-552",
"description": "CWE-552 Files or Directories Accessible to External Parties",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T20:54:14.563Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "ArubaOS (AOS)",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "10.7.2.1",
"status": "affected",
"version": "10.6.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.4.1.9",
"status": "affected",
"version": "10.3.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.13.1.0",
"status": "affected",
"version": "8.12.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.10.0.20",
"status": "affected",
"version": "8.10.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "LIUPENG"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.\u003c/p\u003e"
}
],
"value": "An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-13T20:08:06.545Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us\u0026docLocale=en_US"
}
],
"source": {
"advisory": "HPESBNW04987",
"discovery": "INTERNAL"
},
"title": "Authenticated Arbitrary File Deletion Vulnerability in AOS-10 or AOS-8 Command Line Interface (CLI)",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37177",
"datePublished": "2026-01-13T20:08:06.545Z",
"dateReserved": "2025-04-16T01:28:25.379Z",
"dateUpdated": "2026-01-13T20:54:14.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2025-37177",
"date": "2026-06-18",
"epss": "0.0031",
"percentile": "0.22508"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2025-37177\",\"sourceIdentifier\":\"security-alert@hpe.com\",\"published\":\"2026-01-13T20:16:05.853\",\"lastModified\":\"2026-01-23T16:10:10.127\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-alert@hpe.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-552\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.5.4.0\",\"versionEndExcluding\":\"8.10.0.21\",\"matchCriteriaId\":\"187C0AB6-1290-4FE3-9FFE-7317DC57B931\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"8.11.0.0\",\"versionEndExcluding\":\"8.13.1.1\",\"matchCriteriaId\":\"1C7390DD-329B-44A3-9693-34211258DF37\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.3.0.0\",\"versionEndExcluding\":\"10.4.1.10\",\"matchCriteriaId\":\"93E77EBB-E46E-47E5-ADD2-1BD80257B08B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.5.0.0\",\"versionEndExcluding\":\"10.7.2.2\",\"matchCriteriaId\":\"48B3A810-4DD3-403E-9A76-AB86EF7EA9D1\"}]}]}],\"references\":[{\"url\":\"https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us\u0026docLocale=en_US\",\"source\":\"security-alert@hpe.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-37177\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-13T20:54:11.185125Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-552\", \"description\": \"CWE-552 Files or Directories Accessible to External Parties\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-13T20:54:04.583Z\"}}], \"cna\": {\"title\": \"Authenticated Arbitrary File Deletion Vulnerability in AOS-10 or AOS-8 Command Line Interface (CLI)\", \"source\": {\"advisory\": \"HPESBNW04987\", \"discovery\": \"INTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"LIUPENG\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Hewlett Packard Enterprise (HPE)\", \"product\": \"ArubaOS (AOS)\", \"versions\": [{\"status\": \"affected\", \"version\": \"10.6.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.7.2.1\"}, {\"status\": \"affected\", \"version\": \"10.3.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"10.4.1.9\"}, {\"status\": \"affected\", \"version\": \"8.12.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.13.1.0\"}, {\"status\": \"affected\", \"version\": \"8.10.0.0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"8.10.0.20\"}], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us\u0026docLocale=en_US\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eAn arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.\u003c/p\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"eb103674-0d28-4225-80f8-39fb86215de0\", \"shortName\": \"hpe\", \"dateUpdated\": \"2026-01-13T20:08:06.545Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2025-37177\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-13T20:54:14.563Z\", \"dateReserved\": \"2025-04-16T01:28:25.379Z\", \"assignerOrgId\": \"eb103674-0d28-4225-80f8-39fb86215de0\", \"datePublished\": \"2026-01-13T20:08:06.545Z\", \"assignerShortName\": \"hpe\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2026-AVI-0042
Vulnerability from certfr_avis - Published: 2026-01-14 - Updated: 2026-01-14
De multiples vulnérabilités ont été découvertes dans les produits HPE Aruba Networking. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
L’éditeur précise que les versions ArubaOS 6.5.4.x, 8.6.x, 8.7.x, 8.8.x, 8.9.x, 8.11.x, 8.12.x 10.3.x, 10.5.x, 10.6.x et SD-WAN 8.6.0.4-2.2.x, 8.7.0.0-2.3.0.x sont en fin de maintenance (EoM) et ne bénéficient plus de mises à jour de sécurité.
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| HPE Aruba Networking | Instant On | Instant On versions antérieures à 3.3.2.0 | ||
| HPE Aruba Networking | EdgeConnect SD-WAN Orchestrator | EdgeConnect SD-WAN Orchestrator versions antérieures à 9.5.6 | ||
| HPE Aruba Networking | Virtual Intranet Access | Virtual Intranet Access (VIA) versions antérieures à 4.7.6 | ||
| HPE Aruba Networking | EdgeConnect SD-WAN Orchestrator | EdgeConnect SD-WAN Orchestrator versions antérieures à 9.6.1 | ||
| HPE Aruba Networking | AOS | ArubaOS versions 10.7.x antérieures à 10.7.2.2 | ||
| HPE Aruba Networking | AOS | ArubaOS versions 8.10.x antérieures à 8.10.0.21 | ||
| HPE Aruba Networking | AOS | ArubaOS versions 10.4.x antérieures à 10.4.1.9 | ||
| HPE Aruba Networking | AOS | ArubaOS versions 8.13.x antérieures à 8.13.1.1 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Instant On versions ant\u00e9rieures \u00e0 3.3.2.0",
"product": {
"name": "Instant On",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "EdgeConnect SD-WAN Orchestrator versions ant\u00e9rieures \u00e0 9.5.6",
"product": {
"name": "EdgeConnect SD-WAN Orchestrator",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "Virtual Intranet Access (VIA) versions ant\u00e9rieures \u00e0 4.7.6",
"product": {
"name": "Virtual Intranet Access",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "EdgeConnect SD-WAN Orchestrator versions ant\u00e9rieures \u00e0 9.6.1",
"product": {
"name": "EdgeConnect SD-WAN Orchestrator",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "ArubaOS versions 10.7.x ant\u00e9rieures \u00e0 10.7.2.2",
"product": {
"name": "AOS",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "ArubaOS versions 8.10.x ant\u00e9rieures \u00e0 8.10.0.21",
"product": {
"name": "AOS",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "ArubaOS versions 10.4.x ant\u00e9rieures \u00e0 10.4.1.9",
"product": {
"name": "AOS",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "ArubaOS versions 8.13.x ant\u00e9rieures \u00e0 8.13.1.1",
"product": {
"name": "AOS",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
}
],
"affected_systems_content": "L\u2019\u00e9diteur pr\u00e9cise que les versions ArubaOS 6.5.4.x, 8.6.x, 8.7.x, 8.8.x, 8.9.x, 8.11.x, 8.12.x 10.3.x, 10.5.x, 10.6.x et SD-WAN 8.6.0.4-2.2.x, 8.7.0.0-2.3.0.x sont en fin de maintenance (EoM) et ne b\u00e9n\u00e9ficient plus de mises \u00e0 jour de s\u00e9curit\u00e9.",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-37177",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37177"
},
{
"name": "CVE-2025-37172",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37172"
},
{
"name": "CVE-2023-52340",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52340"
},
{
"name": "CVE-2025-37179",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37179"
},
{
"name": "CVE-2025-37165",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37165"
},
{
"name": "CVE-2025-37168",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37168"
},
{
"name": "CVE-2025-37173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37173"
},
{
"name": "CVE-2025-37170",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37170"
},
{
"name": "CVE-2026-37185",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37185"
},
{
"name": "CVE-2025-37169",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37169"
},
{
"name": "CVE-2025-37176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37176"
},
{
"name": "CVE-2025-37171",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37171"
},
{
"name": "CVE-2026-37183",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37183"
},
{
"name": "CVE-2025-37174",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37174"
},
{
"name": "CVE-2022-48839",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48839"
},
{
"name": "CVE-2025-37175",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37175"
},
{
"name": "CVE-2026-37182",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37182"
},
{
"name": "CVE-2025-37178",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37178"
},
{
"name": "CVE-2026-37184",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37184"
},
{
"name": "CVE-2025-37166",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37166"
},
{
"name": "CVE-2025-37186",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37186"
}
],
"initial_release_date": "2026-01-14T00:00:00",
"last_revision_date": "2026-01-14T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0042",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-14T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits HPE Aruba Networking. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits HPE Aruba Networking",
"vendor_advisories": [
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 HPE Aruba Networking HPESBNW04987",
"url": "https://csaf.arubanetworks.com/2026/hpe_aruba_networking_-_hpesbnw04987.txt"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 HPE Aruba Networking HPESBNW04994",
"url": "https://csaf.arubanetworks.com/2026/hpe_aruba_networking_-_hpesbnw04994.txt"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 HPE Aruba Networking HPESBNW04988",
"url": "https://csaf.arubanetworks.com/2026/hpe_aruba_networking_-_hpesbnw04988.txt"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 HPE Aruba Networking HPESBNW04992",
"url": "https://csaf.arubanetworks.com/2026/hpe_aruba_networking_-_hpesbnw04992.txt"
}
]
}
CERTFR-2026-AVI-0042
Vulnerability from certfr_avis - Published: 2026-01-14 - Updated: 2026-01-14
De multiples vulnérabilités ont été découvertes dans les produits HPE Aruba Networking. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
L’éditeur précise que les versions ArubaOS 6.5.4.x, 8.6.x, 8.7.x, 8.8.x, 8.9.x, 8.11.x, 8.12.x 10.3.x, 10.5.x, 10.6.x et SD-WAN 8.6.0.4-2.2.x, 8.7.0.0-2.3.0.x sont en fin de maintenance (EoM) et ne bénéficient plus de mises à jour de sécurité.
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| HPE Aruba Networking | Instant On | Instant On versions antérieures à 3.3.2.0 | ||
| HPE Aruba Networking | EdgeConnect SD-WAN Orchestrator | EdgeConnect SD-WAN Orchestrator versions antérieures à 9.5.6 | ||
| HPE Aruba Networking | Virtual Intranet Access | Virtual Intranet Access (VIA) versions antérieures à 4.7.6 | ||
| HPE Aruba Networking | EdgeConnect SD-WAN Orchestrator | EdgeConnect SD-WAN Orchestrator versions antérieures à 9.6.1 | ||
| HPE Aruba Networking | AOS | ArubaOS versions 10.7.x antérieures à 10.7.2.2 | ||
| HPE Aruba Networking | AOS | ArubaOS versions 8.10.x antérieures à 8.10.0.21 | ||
| HPE Aruba Networking | AOS | ArubaOS versions 10.4.x antérieures à 10.4.1.9 | ||
| HPE Aruba Networking | AOS | ArubaOS versions 8.13.x antérieures à 8.13.1.1 |
References
| Title | Publication Time | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Instant On versions ant\u00e9rieures \u00e0 3.3.2.0",
"product": {
"name": "Instant On",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "EdgeConnect SD-WAN Orchestrator versions ant\u00e9rieures \u00e0 9.5.6",
"product": {
"name": "EdgeConnect SD-WAN Orchestrator",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "Virtual Intranet Access (VIA) versions ant\u00e9rieures \u00e0 4.7.6",
"product": {
"name": "Virtual Intranet Access",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "EdgeConnect SD-WAN Orchestrator versions ant\u00e9rieures \u00e0 9.6.1",
"product": {
"name": "EdgeConnect SD-WAN Orchestrator",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "ArubaOS versions 10.7.x ant\u00e9rieures \u00e0 10.7.2.2",
"product": {
"name": "AOS",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "ArubaOS versions 8.10.x ant\u00e9rieures \u00e0 8.10.0.21",
"product": {
"name": "AOS",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "ArubaOS versions 10.4.x ant\u00e9rieures \u00e0 10.4.1.9",
"product": {
"name": "AOS",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
},
{
"description": "ArubaOS versions 8.13.x ant\u00e9rieures \u00e0 8.13.1.1",
"product": {
"name": "AOS",
"vendor": {
"name": "HPE Aruba Networking",
"scada": false
}
}
}
],
"affected_systems_content": "L\u2019\u00e9diteur pr\u00e9cise que les versions ArubaOS 6.5.4.x, 8.6.x, 8.7.x, 8.8.x, 8.9.x, 8.11.x, 8.12.x 10.3.x, 10.5.x, 10.6.x et SD-WAN 8.6.0.4-2.2.x, 8.7.0.0-2.3.0.x sont en fin de maintenance (EoM) et ne b\u00e9n\u00e9ficient plus de mises \u00e0 jour de s\u00e9curit\u00e9.",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-37177",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37177"
},
{
"name": "CVE-2025-37172",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37172"
},
{
"name": "CVE-2023-52340",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52340"
},
{
"name": "CVE-2025-37179",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37179"
},
{
"name": "CVE-2025-37165",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37165"
},
{
"name": "CVE-2025-37168",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37168"
},
{
"name": "CVE-2025-37173",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37173"
},
{
"name": "CVE-2025-37170",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37170"
},
{
"name": "CVE-2026-37185",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37185"
},
{
"name": "CVE-2025-37169",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37169"
},
{
"name": "CVE-2025-37176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37176"
},
{
"name": "CVE-2025-37171",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37171"
},
{
"name": "CVE-2026-37183",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37183"
},
{
"name": "CVE-2025-37174",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37174"
},
{
"name": "CVE-2022-48839",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-48839"
},
{
"name": "CVE-2025-37175",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37175"
},
{
"name": "CVE-2026-37182",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37182"
},
{
"name": "CVE-2025-37178",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37178"
},
{
"name": "CVE-2026-37184",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37184"
},
{
"name": "CVE-2025-37166",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37166"
},
{
"name": "CVE-2025-37186",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-37186"
}
],
"initial_release_date": "2026-01-14T00:00:00",
"last_revision_date": "2026-01-14T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0042",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-01-14T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits HPE Aruba Networking. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits HPE Aruba Networking",
"vendor_advisories": [
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 HPE Aruba Networking HPESBNW04987",
"url": "https://csaf.arubanetworks.com/2026/hpe_aruba_networking_-_hpesbnw04987.txt"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 HPE Aruba Networking HPESBNW04994",
"url": "https://csaf.arubanetworks.com/2026/hpe_aruba_networking_-_hpesbnw04994.txt"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 HPE Aruba Networking HPESBNW04988",
"url": "https://csaf.arubanetworks.com/2026/hpe_aruba_networking_-_hpesbnw04988.txt"
},
{
"published_at": "2026-01-13",
"title": "Bulletin de s\u00e9curit\u00e9 HPE Aruba Networking HPESBNW04992",
"url": "https://csaf.arubanetworks.com/2026/hpe_aruba_networking_-_hpesbnw04992.txt"
}
]
}
FKIE_CVE-2025-37177
Vulnerability from fkie_nvd - Published: 2026-01-13 20:16 - Updated: 2026-06-17 09:15
Severity
Summary
An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| arubanetworks | arubaos | * | |
| arubanetworks | arubaos | * | |
| arubanetworks | arubaos | * | |
| arubanetworks | arubaos | * |
{
"affected": [
{
"affectedData": [
{
"defaultStatus": "affected",
"product": "ArubaOS (AOS)",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "10.7.2.1",
"status": "affected",
"version": "10.6.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.4.1.9",
"status": "affected",
"version": "10.3.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.13.1.0",
"status": "affected",
"version": "8.12.0.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "8.10.0.20",
"status": "affected",
"version": "8.10.0.0",
"versionType": "semver"
}
]
}
],
"source": "security-alert@hpe.com"
}
],
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "187C0AB6-1290-4FE3-9FFE-7317DC57B931",
"versionEndExcluding": "8.10.0.21",
"versionStartIncluding": "6.5.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1C7390DD-329B-44A3-9693-34211258DF37",
"versionEndExcluding": "8.13.1.1",
"versionStartIncluding": "8.11.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "93E77EBB-E46E-47E5-ADD2-1BD80257B08B",
"versionEndExcluding": "10.4.1.10",
"versionStartIncluding": "10.3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:arubanetworks:arubaos:*:*:*:*:*:*:*:*",
"matchCriteriaId": "48B3A810-4DD3-403E-9A76-AB86EF7EA9D1",
"versionEndExcluding": "10.7.2.2",
"versionStartIncluding": "10.5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system."
},
{
"lang": "es",
"value": "Una vulnerabilidad de eliminaci\u00f3n arbitraria de archivos ha sido identificada en la interfaz de l\u00ednea de comandos de los conductores de movilidad que ejecutan sistemas operativos AOS-10 o AOS-8. La explotaci\u00f3n exitosa de esta vulnerabilidad podr\u00eda permitir a un actor malicioso remoto autenticado eliminar archivos arbitrarios dentro del sistema afectado."
}
],
"id": "CVE-2025-37177",
"lastModified": "2026-06-17T09:15:18.567",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 5.2,
"source": "security-alert@hpe.com",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2025-37177",
"options": [
{
"exploitation": "none"
},
{
"automatable": "no"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-13T20:54:11.185125Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-01-13T20:16:05.853",
"references": [
{
"source": "security-alert@hpe.com",
"tags": [
"Vendor Advisory"
],
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us\u0026docLocale=en_US"
}
],
"sourceIdentifier": "security-alert@hpe.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
GHSA-CQWJ-XMCH-H6Q7
Vulnerability from github – Published: 2026-01-13 21:31 – Updated: 2026-01-13 21:31
VLAI
Details
An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.
Severity
6.5 (Medium)
{
"affected": [],
"aliases": [
"CVE-2025-37177"
],
"database_specific": {
"cwe_ids": [
"CWE-552"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T20:16:05Z",
"severity": "MODERATE"
},
"details": "An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.",
"id": "GHSA-cqwj-xmch-h6q7",
"modified": "2026-01-13T21:31:45Z",
"published": "2026-01-13T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-37177"
},
{
"type": "WEB",
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us\u0026docLocale=en_US"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"type": "CVSS_V3"
}
]
}
NCSC-2026-0016
Vulnerability from csaf_ncscnl - Published: 2026-01-16 09:44 - Updated: 2026-01-16 09:44Summary
Kwetsbaarheden verholpen in Aruba Networks ArubaOS
Notes
The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:
NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.
NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.
This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings.
Feiten: Aruba Networks heeft kwetsbaarheden verholpen in AOS-8 en AOS-10.
Interpretaties: De kwetsbaarheden bevinden zich in de webmanagementinterfaces van de AOS-8 en AOS-10 systemen. Deze kwetsbaarheden omvatten onder andere een arbitrarily file deletion, stack overflow, command injection, en improper input handling. Een kwaadwillende kan deze kwetsbaarheden misbruiken om ongeautoriseerde toegang te verkrijgen, bestanden te verwijderen of te manipuleren, en zelfs commando's met verhoogde privileges uit te voeren.
Voor succesvol misbruik moet de kwaadwillende toegang hebben tot de management-interface, of de Command Line. Het is goed gebruik om een dergelijke interface niet publiek toegankelijk te hebben, maar af te steunen in een separate beheeromgeving.
Oplossingen: Aruba Networks heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.
Kans: medium
Schade: high
CWE-20: Improper Input Validation
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-125: Out-of-bounds Read
CWE-277: Insecure Inherited Permissions
CWE-434: Unrestricted Upload of File with Dangerous Type
CWE-552: Files or Directories Accessible to External Parties
AOS-8 operating system for mobility conductors has an arbitrary file deletion vulnerability that allows unauthenticated remote attackers to delete files, potentially causing denial-of-service issues.
8.2 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
HPE / ArubaOS (AOS)
|
vers:unknown/* |
A stack overflow vulnerability in the AOS-10 web management interface of a Mobility Gateway allows authenticated attackers to execute arbitrary code with elevated privileges on the operating system.
7.2 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
HPE / ArubaOS (AOS)
|
vers:unknown/* |
Authenticated command injection vulnerabilities in the AOS-8 operating system's web management interface for mobility conductors allow malicious actors to execute arbitrary commands with elevated privileges.
7.2 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
HPE / ArubaOS (AOS)
|
vers:unknown/* |
Authenticated command injection vulnerabilities in the AOS-8 operating system's web management interface for mobility conductors allow malicious actors to execute arbitrary commands with elevated privileges.
7.2 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
HPE / ArubaOS (AOS)
|
vers:unknown/* |
Authenticated command injection vulnerabilities in the AOS-8 operating system's web management interface for mobility conductors allow malicious actors to execute arbitrary commands with elevated privileges.
7.2 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
HPE / ArubaOS (AOS)
|
vers:unknown/* |
An authenticated attacker could exploit an improper input handling vulnerability in the web-based management interface of mobility conductors using AOS-10 or AOS-8, leading to unintended system behavior.
7.2 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
HPE / ArubaOS (AOS)
|
vers:unknown/* |
An authenticated arbitrary file write vulnerability in the web-based management interface of mobility conductors using AOS-10 or AOS-8 allows privileged users to create or modify files and execute commands.
7.2 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
HPE / ArubaOS (AOS)
|
vers:unknown/* |
An arbitrary file upload vulnerability in the web-based management interface of mobility conductors using AOS-10 or AOS-8 allows authenticated attackers to upload files and execute commands on the operating system.
7.2 (High)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
HPE / ArubaOS (AOS)
|
vers:unknown/* |
AOS-8 contains a command injection vulnerability that allows authenticated privileged users to modify package headers and potentially execute shell commands with elevated privileges.
6.5 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
HPE / ArubaOS (AOS)
|
vers:unknown/* |
A vulnerability in the command-line interface of mobility conductors using AOS-10 or AOS-8 allows authenticated remote attackers to delete arbitrary files on the system.
6.5 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
HPE / ArubaOS (AOS)
|
vers:unknown/* |
Multiple out-of-bounds read vulnerabilities were identified in a system component due to insufficient buffer size validation, potentially causing process crashes and denial-of-service conditions.
5.3 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
HPE / ArubaOS (AOS)
|
vers:unknown/* |
Multiple out-of-bounds read vulnerabilities were identified in a system component due to insufficient buffer size validation, potentially causing process crashes and denial-of-service conditions.
5.3 (Medium)
Affected products
Known affected
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
vers:unknown/*
HPE / ArubaOS (AOS)
|
vers:unknown/* |
References
13 references
{
"document": {
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "nl",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this page to enhance access to its information and security advisories. The use of this security advisory is subject to the following terms and conditions:\n\n NCSC-NL makes every reasonable effort to ensure that the content of this page is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or continuous keeping up-to-date. The information contained in this security advisory is intended solely for the purpose of providing general information to professional users. No rights can be derived from the information provided therein.\n\n NCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of this security advisory. This includes damage resulting from the inaccuracy of incompleteness of the information contained in the advisory.\n This security advisory is subject to Dutch law. All disputes related to or arising from the use of this advisory will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
},
{
"category": "description",
"text": "Aruba Networks heeft kwetsbaarheden verholpen in AOS-8 en AOS-10.",
"title": "Feiten"
},
{
"category": "description",
"text": "De kwetsbaarheden bevinden zich in de webmanagementinterfaces van de AOS-8 en AOS-10 systemen. Deze kwetsbaarheden omvatten onder andere een arbitrarily file deletion, stack overflow, command injection, en improper input handling. Een kwaadwillende kan deze kwetsbaarheden misbruiken om ongeautoriseerde toegang te verkrijgen, bestanden te verwijderen of te manipuleren, en zelfs commando\u0027s met verhoogde privileges uit te voeren. \n\nVoor succesvol misbruik moet de kwaadwillende toegang hebben tot de management-interface, of de Command Line. Het is goed gebruik om een dergelijke interface niet publiek toegankelijk te hebben, maar af te steunen in een separate beheeromgeving.",
"title": "Interpretaties"
},
{
"category": "description",
"text": "Aruba Networks heeft updates uitgebracht om de kwetsbaarheden te verhelpen. Zie bijgevoegde referenties voor meer informatie.",
"title": "Oplossingen"
},
{
"category": "general",
"text": "medium",
"title": "Kans"
},
{
"category": "general",
"text": "high",
"title": "Schade"
},
{
"category": "general",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
},
{
"category": "general",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "general",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "general",
"text": "Insecure Inherited Permissions",
"title": "CWE-277"
},
{
"category": "general",
"text": "Unrestricted Upload of File with Dangerous Type",
"title": "CWE-434"
},
{
"category": "general",
"text": "Files or Directories Accessible to External Parties",
"title": "CWE-552"
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "Nationaal Cyber Security Centrum",
"namespace": "https://www.ncsc.nl/"
},
"references": [
{
"category": "external",
"summary": "Reference",
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us\u0026docLocale=en_US"
}
],
"title": "Kwetsbaarheden verholpen in Aruba Networks ArubaOS",
"tracking": {
"current_release_date": "2026-01-16T09:44:20.575860Z",
"generator": {
"date": "2025-08-04T16:30:00Z",
"engine": {
"name": "V.A.",
"version": "1.3"
}
},
"id": "NCSC-2026-0016",
"initial_release_date": "2026-01-16T09:44:20.575860Z",
"revision_history": [
{
"date": "2026-01-16T09:44:20.575860Z",
"number": "1.0.0",
"summary": "Initiele versie"
}
],
"status": "final",
"version": "1.0.0"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/*",
"product": {
"name": "vers:unknown/*",
"product_id": "CSAFPID-1"
}
}
],
"category": "product_name",
"name": "ArubaOS (AOS)"
}
],
"category": "vendor",
"name": "HPE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-37168",
"cwe": {
"id": "CWE-552",
"name": "Files or Directories Accessible to External Parties"
},
"notes": [
{
"category": "other",
"text": "Files or Directories Accessible to External Parties",
"title": "CWE-552"
},
{
"category": "description",
"text": "AOS-8 operating system for mobility conductors has an arbitrary file deletion vulnerability that allows unauthenticated remote attackers to delete files, potentially causing denial-of-service issues.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-37168 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-37168.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-37168"
},
{
"cve": "CVE-2025-37169",
"notes": [
{
"category": "description",
"text": "A stack overflow vulnerability in the AOS-10 web management interface of a Mobility Gateway allows authenticated attackers to execute arbitrary code with elevated privileges on the operating system.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-37169 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-37169.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-37169"
},
{
"cve": "CVE-2025-37170",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "description",
"text": "Authenticated command injection vulnerabilities in the AOS-8 operating system\u0027s web management interface for mobility conductors allow malicious actors to execute arbitrary commands with elevated privileges.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-37170 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-37170.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-37170"
},
{
"cve": "CVE-2025-37171",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "description",
"text": "Authenticated command injection vulnerabilities in the AOS-8 operating system\u0027s web management interface for mobility conductors allow malicious actors to execute arbitrary commands with elevated privileges.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-37171 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-37171.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-37171"
},
{
"cve": "CVE-2025-37172",
"cwe": {
"id": "CWE-78",
"name": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"title": "CWE-78"
},
{
"category": "description",
"text": "Authenticated command injection vulnerabilities in the AOS-8 operating system\u0027s web management interface for mobility conductors allow malicious actors to execute arbitrary commands with elevated privileges.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-37172 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-37172.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-37172"
},
{
"cve": "CVE-2025-37173",
"cwe": {
"id": "CWE-20",
"name": "Improper Input Validation"
},
"notes": [
{
"category": "other",
"text": "Improper Input Validation",
"title": "CWE-20"
},
{
"category": "description",
"text": "An authenticated attacker could exploit an improper input handling vulnerability in the web-based management interface of mobility conductors using AOS-10 or AOS-8, leading to unintended system behavior.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-37173 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-37173.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-37173"
},
{
"cve": "CVE-2025-37174",
"cwe": {
"id": "CWE-277",
"name": "Insecure Inherited Permissions"
},
"notes": [
{
"category": "other",
"text": "Insecure Inherited Permissions",
"title": "CWE-277"
},
{
"category": "description",
"text": "An authenticated arbitrary file write vulnerability in the web-based management interface of mobility conductors using AOS-10 or AOS-8 allows privileged users to create or modify files and execute commands.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-37174 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-37174.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-37174"
},
{
"cve": "CVE-2025-37175",
"cwe": {
"id": "CWE-434",
"name": "Unrestricted Upload of File with Dangerous Type"
},
"notes": [
{
"category": "other",
"text": "Unrestricted Upload of File with Dangerous Type",
"title": "CWE-434"
},
{
"category": "description",
"text": "An arbitrary file upload vulnerability in the web-based management interface of mobility conductors using AOS-10 or AOS-8 allows authenticated attackers to upload files and execute commands on the operating system.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-37175 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-37175.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-37175"
},
{
"cve": "CVE-2025-37176",
"cwe": {
"id": "CWE-77",
"name": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)"
},
"notes": [
{
"category": "other",
"text": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"title": "CWE-77"
},
{
"category": "description",
"text": "AOS-8 contains a command injection vulnerability that allows authenticated privileged users to modify package headers and potentially execute shell commands with elevated privileges.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-37176 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-37176.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-37176"
},
{
"cve": "CVE-2025-37177",
"cwe": {
"id": "CWE-552",
"name": "Files or Directories Accessible to External Parties"
},
"notes": [
{
"category": "other",
"text": "Files or Directories Accessible to External Parties",
"title": "CWE-552"
},
{
"category": "description",
"text": "A vulnerability in the command-line interface of mobility conductors using AOS-10 or AOS-8 allows authenticated remote attackers to delete arbitrary files on the system.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-37177 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-37177.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-37177"
},
{
"cve": "CVE-2025-37178",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "description",
"text": "Multiple out-of-bounds read vulnerabilities were identified in a system component due to insufficient buffer size validation, potentially causing process crashes and denial-of-service conditions.",
"title": "Summary"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-37178 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-37178.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-37178"
},
{
"cve": "CVE-2025-37179",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "other",
"text": "Out-of-bounds Read",
"title": "CWE-125"
},
{
"category": "description",
"text": "Multiple out-of-bounds read vulnerabilities were identified in a system component due to insufficient buffer size validation, potentially causing process crashes and denial-of-service conditions.",
"title": "Summary"
},
{
"category": "general",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"title": "CVSSV4"
}
],
"product_status": {
"known_affected": [
"CSAFPID-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2025-37179 | NCSC-NL Website",
"url": "https://vulnerabilities.ncsc.nl/csaf/v2/2025/cve-2025-37179.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"CSAFPID-1"
]
}
],
"title": "CVE-2025-37179"
}
]
}
WID-SEC-W-2026-0091
Vulnerability from csaf_certbund - Published: 2026-01-13 23:00 - Updated: 2026-01-13 23:00Summary
Aruba ArubaOS: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: ArubaOS ist das Betriebssystem der Aruba Netzwerkprodukte.
Angriff: Ein Angreifer kann mehrere Schwachstellen in Aruba ArubaOS ausnutzen, um Dateien zu manipulieren, um beliebigen Programmcode auszuführen, und um einen Denial of Service Angriff durchzuführen.
Betroffene Betriebssysteme: - BIOS/Firmware
- Hardware Appliance
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Aruba ArubaOS <8.13.1.1
Aruba / ArubaOS
|
<8.13.1.1 | ||
|
Aruba ArubaOS <10.4.1.10
Aruba / ArubaOS
|
<10.4.1.10 | ||
|
Aruba ArubaOS <10.7.2.2
Aruba / ArubaOS
|
<10.7.2.2 | ||
|
Aruba ArubaOS <8.10.0.21
Aruba / ArubaOS
|
<8.10.0.21 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Aruba ArubaOS <8.13.1.1
Aruba / ArubaOS
|
<8.13.1.1 | ||
|
Aruba ArubaOS <10.4.1.10
Aruba / ArubaOS
|
<10.4.1.10 | ||
|
Aruba ArubaOS <10.7.2.2
Aruba / ArubaOS
|
<10.7.2.2 | ||
|
Aruba ArubaOS <8.10.0.21
Aruba / ArubaOS
|
<8.10.0.21 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Aruba ArubaOS <8.13.1.1
Aruba / ArubaOS
|
<8.13.1.1 | ||
|
Aruba ArubaOS <10.4.1.10
Aruba / ArubaOS
|
<10.4.1.10 | ||
|
Aruba ArubaOS <10.7.2.2
Aruba / ArubaOS
|
<10.7.2.2 | ||
|
Aruba ArubaOS <8.10.0.21
Aruba / ArubaOS
|
<8.10.0.21 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Aruba ArubaOS <8.13.1.1
Aruba / ArubaOS
|
<8.13.1.1 | ||
|
Aruba ArubaOS <10.4.1.10
Aruba / ArubaOS
|
<10.4.1.10 | ||
|
Aruba ArubaOS <10.7.2.2
Aruba / ArubaOS
|
<10.7.2.2 | ||
|
Aruba ArubaOS <8.10.0.21
Aruba / ArubaOS
|
<8.10.0.21 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Aruba ArubaOS <8.13.1.1
Aruba / ArubaOS
|
<8.13.1.1 | ||
|
Aruba ArubaOS <10.4.1.10
Aruba / ArubaOS
|
<10.4.1.10 | ||
|
Aruba ArubaOS <10.7.2.2
Aruba / ArubaOS
|
<10.7.2.2 | ||
|
Aruba ArubaOS <8.10.0.21
Aruba / ArubaOS
|
<8.10.0.21 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Aruba ArubaOS <8.13.1.1
Aruba / ArubaOS
|
<8.13.1.1 | ||
|
Aruba ArubaOS <10.4.1.10
Aruba / ArubaOS
|
<10.4.1.10 | ||
|
Aruba ArubaOS <10.7.2.2
Aruba / ArubaOS
|
<10.7.2.2 | ||
|
Aruba ArubaOS <8.10.0.21
Aruba / ArubaOS
|
<8.10.0.21 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Aruba ArubaOS <8.13.1.1
Aruba / ArubaOS
|
<8.13.1.1 | ||
|
Aruba ArubaOS <10.4.1.10
Aruba / ArubaOS
|
<10.4.1.10 | ||
|
Aruba ArubaOS <10.7.2.2
Aruba / ArubaOS
|
<10.7.2.2 | ||
|
Aruba ArubaOS <8.10.0.21
Aruba / ArubaOS
|
<8.10.0.21 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Aruba ArubaOS <8.13.1.1
Aruba / ArubaOS
|
<8.13.1.1 | ||
|
Aruba ArubaOS <10.4.1.10
Aruba / ArubaOS
|
<10.4.1.10 | ||
|
Aruba ArubaOS <10.7.2.2
Aruba / ArubaOS
|
<10.7.2.2 | ||
|
Aruba ArubaOS <8.10.0.21
Aruba / ArubaOS
|
<8.10.0.21 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Aruba ArubaOS <8.13.1.1
Aruba / ArubaOS
|
<8.13.1.1 | ||
|
Aruba ArubaOS <10.4.1.10
Aruba / ArubaOS
|
<10.4.1.10 | ||
|
Aruba ArubaOS <10.7.2.2
Aruba / ArubaOS
|
<10.7.2.2 | ||
|
Aruba ArubaOS <8.10.0.21
Aruba / ArubaOS
|
<8.10.0.21 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Aruba ArubaOS <8.13.1.1
Aruba / ArubaOS
|
<8.13.1.1 | ||
|
Aruba ArubaOS <10.4.1.10
Aruba / ArubaOS
|
<10.4.1.10 | ||
|
Aruba ArubaOS <10.7.2.2
Aruba / ArubaOS
|
<10.7.2.2 | ||
|
Aruba ArubaOS <8.10.0.21
Aruba / ArubaOS
|
<8.10.0.21 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Aruba ArubaOS <8.13.1.1
Aruba / ArubaOS
|
<8.13.1.1 | ||
|
Aruba ArubaOS <10.4.1.10
Aruba / ArubaOS
|
<10.4.1.10 | ||
|
Aruba ArubaOS <10.7.2.2
Aruba / ArubaOS
|
<10.7.2.2 | ||
|
Aruba ArubaOS <8.10.0.21
Aruba / ArubaOS
|
<8.10.0.21 |
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Aruba ArubaOS <8.13.1.1
Aruba / ArubaOS
|
<8.13.1.1 | ||
|
Aruba ArubaOS <10.4.1.10
Aruba / ArubaOS
|
<10.4.1.10 | ||
|
Aruba ArubaOS <10.7.2.2
Aruba / ArubaOS
|
<10.7.2.2 | ||
|
Aruba ArubaOS <8.10.0.21
Aruba / ArubaOS
|
<8.10.0.21 |
References
3 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "ArubaOS ist das Betriebssystem der Aruba Netzwerkprodukte.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in Aruba ArubaOS ausnutzen, um Dateien zu manipulieren, um beliebigen Programmcode auszuf\u00fchren, und um einen Denial of Service Angriff durchzuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- BIOS/Firmware\n- Hardware Appliance",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-0091 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0091.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-0091 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0091"
},
{
"category": "external",
"summary": "HPE Security Bulletin HPESBNW04987 rev.1 vom 2026-01-13",
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us\u0026docLocale=en_US"
}
],
"source_lang": "en-US",
"title": "Aruba ArubaOS: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-01-13T23:00:00.000+00:00",
"generator": {
"date": "2026-01-14T07:35:57.181+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.5.0"
}
},
"id": "WID-SEC-W-2026-0091",
"initial_release_date": "2026-01-13T23:00:00.000+00:00",
"revision_history": [
{
"date": "2026-01-13T23:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c10.7.2.2",
"product": {
"name": "Aruba ArubaOS \u003c10.7.2.2",
"product_id": "T049901"
}
},
{
"category": "product_version",
"name": "10.7.2.2",
"product": {
"name": "Aruba ArubaOS 10.7.2.2",
"product_id": "T049901-fixed",
"product_identification_helper": {
"cpe": "cpe:/o:arubanetworks:arubaos:10.7.2.2"
}
}
},
{
"category": "product_version_range",
"name": "\u003c10.4.1.10",
"product": {
"name": "Aruba ArubaOS \u003c10.4.1.10",
"product_id": "T049902"
}
},
{
"category": "product_version",
"name": "10.4.1.10",
"product": {
"name": "Aruba ArubaOS 10.4.1.10",
"product_id": "T049902-fixed",
"product_identification_helper": {
"cpe": "cpe:/o:arubanetworks:arubaos:10.4.1.10"
}
}
},
{
"category": "product_version_range",
"name": "\u003c8.13.1.1",
"product": {
"name": "Aruba ArubaOS \u003c8.13.1.1",
"product_id": "T049903"
}
},
{
"category": "product_version",
"name": "8.13.1.1",
"product": {
"name": "Aruba ArubaOS 8.13.1.1",
"product_id": "T049903-fixed",
"product_identification_helper": {
"cpe": "cpe:/o:arubanetworks:arubaos:8.13.1.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c8.10.0.21",
"product": {
"name": "Aruba ArubaOS \u003c8.10.0.21",
"product_id": "T049904"
}
},
{
"category": "product_version",
"name": "8.10.0.21",
"product": {
"name": "Aruba ArubaOS 8.10.0.21",
"product_id": "T049904-fixed",
"product_identification_helper": {
"cpe": "cpe:/o:arubanetworks:arubaos:8.10.0.21"
}
}
}
],
"category": "product_name",
"name": "ArubaOS"
}
],
"category": "vendor",
"name": "Aruba"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-37168",
"product_status": {
"known_affected": [
"T049903",
"T049902",
"T049901",
"T049904"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-37168"
},
{
"cve": "CVE-2025-37169",
"product_status": {
"known_affected": [
"T049903",
"T049902",
"T049901",
"T049904"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-37169"
},
{
"cve": "CVE-2025-37170",
"product_status": {
"known_affected": [
"T049903",
"T049902",
"T049901",
"T049904"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-37170"
},
{
"cve": "CVE-2025-37171",
"product_status": {
"known_affected": [
"T049903",
"T049902",
"T049901",
"T049904"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-37171"
},
{
"cve": "CVE-2025-37172",
"product_status": {
"known_affected": [
"T049903",
"T049902",
"T049901",
"T049904"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-37172"
},
{
"cve": "CVE-2025-37173",
"product_status": {
"known_affected": [
"T049903",
"T049902",
"T049901",
"T049904"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-37173"
},
{
"cve": "CVE-2025-37174",
"product_status": {
"known_affected": [
"T049903",
"T049902",
"T049901",
"T049904"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-37174"
},
{
"cve": "CVE-2025-37175",
"product_status": {
"known_affected": [
"T049903",
"T049902",
"T049901",
"T049904"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-37175"
},
{
"cve": "CVE-2025-37176",
"product_status": {
"known_affected": [
"T049903",
"T049902",
"T049901",
"T049904"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-37176"
},
{
"cve": "CVE-2025-37177",
"product_status": {
"known_affected": [
"T049903",
"T049902",
"T049901",
"T049904"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-37177"
},
{
"cve": "CVE-2025-37178",
"product_status": {
"known_affected": [
"T049903",
"T049902",
"T049901",
"T049904"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-37178"
},
{
"cve": "CVE-2025-37179",
"product_status": {
"known_affected": [
"T049903",
"T049902",
"T049901",
"T049904"
]
},
"release_date": "2026-01-13T23:00:00.000+00:00",
"title": "CVE-2025-37179"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…