CVE-2025-37138Command Injection in Arubaos

CWE-77Command Injection3 documents3 sources
Severity
6.2MEDIUMNVD
EPSS
0.0%
top 93.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Arubanetworks ArubaosHewlett Packard Enterprise Arubaos
Timeline
PublishedOct 14

Description

An authenticated command injection vulnerability exists in the command line interface binary of AOS-10 GW and AOS-8 Controllers/Mobility Conductor operating system. Exploitation of this vulnerability requires physical access to the hardware controllers. A successful attack could allow an authenticated malicious actor with physical access to execute arbitrary commands as a privileged user on the underlying operating system.

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 0.3 | Impact: 5.9

Affected Packages2 packages

NVDarubanetworks/arubaos8.10.0.08.10.0.19+4
CVEListV5hewlett_packard_enterprise/arubaos10.7.0.010.7.1.1+4

🔴Vulnerability Details

2
GHSA
GHSA-jr3w-w834-fj2p: An authenticated command injection vulnerability exists in the command line interface binary of AOS-10 GW and AOS-8 Controllers/Mobility Conductor ope2025-10-14
CVEList
Authenticated Command Injection Vulnerability in CLI Binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor Web-Based Management Interface (Physical Access Required)2025-10-14
CVE-2025-37138 — Command Injection in Arubaos | cvebase