CVE-2025-37159

CWE-384 CWE-4154 documents4 sources

Severity

7.3HIGH

EPSS

0.1%

top 83.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

HPE Arubaos-cx Hewlett Packard Enterprise (hpe) HPE Aruba Networking Aos-cx

Timeline

PublishedNov 18

Description

A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:NExploitability: 0.6 | Impact: 5.2

Affected Packages2 packages

▶NVDhpe/arubaos-cx10.10.0000 — 10.10.1170+4

▶CVEListV5hewlett_packard_enterprise_(hpe)/hpe_aruba_networking_aos-cx10.16.0000 — 10.16.1000+4

🔴Vulnerability Details

GHSA

GHSA-22q3-4g3j-wq87: A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an↗2025-11-18

▶

CVEList

Authenticated Session Hijacking Allows Unauthorized Access in Network Switching Software↗2025-11-18

▶

📋Vendor Advisories

Microsoft

hso_free_net_device in drivers/net/usb/hso.c in the Linux kernel through 5.13.4 calls unregister_netdev without checking for the NETREG_REGISTERED state leading to a use-after-free and a double free.↗2021-07-13

▶