CVE-2025-37160

CWE-200 — Information Exposure3 documents3 sources

Severity

6.5MEDIUM

EPSS

0.1%

top 79.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

HPE Arubaos-cx Hewlett Packard Enterprise (hpe) HPE Aruba Networking Aos-cx

Timeline

PublishedNov 18

Description

A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDhpe/arubaos-cx10.10.0000 — 10.10.1170+4

▶CVEListV5hewlett_packard_enterprise_(hpe)/hpe_aruba_networking_aos-cx10.16.0000 — 10.16.1000+4

🔴Vulnerability Details

CVEList

Authenticated Broken Access Control (BAC) in REST API Configuration Service↗2025-11-18

▶

GHSA

GHSA-px47-3rg8-h2rq: A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to↗2025-11-18

▶