Arubanetworks Arubaos vulnerabilities

CVE-2025-37132 [HIGH] CWE-434 CVE-2025-37132: An arbitrary file write vulnerability exists in the web-based management interface of both the AOS-1 An arbitrary file write vulnerability exists in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files and execute arbitrary commands on the underlying operating system.

CVE-2025-37133 [HIGH] CWE-77 CVE-2025-37133: An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mob An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.

CVE-2025-37134 [HIGH] CWE-77 CVE-2025-37134: An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mob An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.

CVE-2025-37138 [MEDIUM] CWE-77 CVE-2025-37138: An authenticated command injection vulnerability exists in the command line interface binary of AOS- An authenticated command injection vulnerability exists in the command line interface binary of AOS-10 GW and AOS-8 Controllers/Mobility Conductor operating system. Exploitation of this vulnerability requires physical access to the hardware controllers. A successful attack could allow an authenticated malicious actor with physical access to execute a

CVE-2025-37136 [MEDIUM] CWE-284 CVE-2025-37136: Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.

CVE-2025-37140 [MEDIUM] CWE-284 CVE-2025-37140: Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mo Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.

CVE-2025-37144 [MEDIUM] CWE-22 CVE-2025-37144: Arbitrary file download vulnerabilities exist in a low-level interface library in AOS-10 GW and AOS- Arbitrary file download vulnerabilities exist in a low-level interface library in AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.

CVE-2025-37145 [MEDIUM] CWE-22 CVE-2025-37145: Arbitrary file download vulnerabilities exist in a low-level interface library in AOS-10 GW and AOS- Arbitrary file download vulnerabilities exist in a low-level interface library in AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.

CVE-2025-37141 [MEDIUM] CWE-284 CVE-2025-37141: Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mo Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.

CVE-2025-37142 [MEDIUM] CWE-284 CVE-2025-37142: Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mo Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.

CVE-2025-37137 [MEDIUM] CWE-284 CVE-2025-37137: Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.

CVE-2025-37135 [MEDIUM] CWE-284 CVE-2025-37135: Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.

CVE-2025-37143 [MEDIUM] CWE-284 CVE-2025-37143: An arbitrary file download vulnerability exists in the web-based management interface of AOS-10 GW a An arbitrary file download vulnerability exists in the web-based management interface of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an Authenticated malicious actor to download arbitrary files through carefully constructed exploits.

CVE-2025-27082 [HIGH] CWE-434 CVE-2025-27082: Arbitrary File Write vulnerabilities exist in the web-based management interface of both the AOS-10 Arbitrary File Write vulnerabilities exist in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an Authenticated attacker to upload arbitrary files and execute arbitrary commands on the underlying host operating system.

CVE-2025-27083 [HIGH] CWE-77 CVE-2025-27083: Authenticated command injection vulnerabilities exist in the AOS-10 GW and AOS-8 Controller/Mobility Authenticated command injection vulnerabilities exist in the AOS-10 GW and AOS-8 Controller/Mobility Conductor web-based management interface. Successful exploitation of these vulnerabilities allows an Authenticated attacker to execute arbitrary commands as a privileged user on the underlying operating system.

CVE-2025-27084 [MEDIUM] CWE-79 CVE-2025-27084: A vulnerability in the Captive Portal of an AOS-10 GW and AOS-8 Controller/Mobility Conductor could A vulnerability in the Captive Portal of an AOS-10 GW and AOS-8 Controller/Mobility Conductor could allow a remote attacker to conduct a reflected cross-site scripting (XSS) attack. Successful exploitation could enable the attacker to execute arbitrary script code in the victim's browser within the context of the affected interface.

CVE-2025-27085 [MEDIUM] CWE-22 CVE-2025-27085: Multiple vulnerabilities exist in the web-based management interface of AOS-10 GW and AOS-8 Controll Multiple vulnerabilities exist in the web-based management interface of AOS-10 GW and AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated, remote attacker to download arbitrary files from the filesystem of an affected device.

CVE-2024-42393 [CRITICAL] CWE-787 CVE-2024-42393: There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

CVE-2024-42395 [CRITICAL] CWE-787 CVE-2024-42395: There is a vulnerability in the AP Certificate Management Service which could allow a threat actor t There is a vulnerability in the AP Certificate Management Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.

CVE-2024-42394 [CRITICAL] CWE-787 CVE-2024-42394: There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute There are vulnerabilities in the Soft AP Daemon Service which could allow a threat actor to execute an unauthenticated RCE attack. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system leading to complete system compromise.