Hewlett Packard Enterprise Arubaos vulnerabilities

CVE-2025-37168 [CRITICAL] CWE-552 CVE-2025-37168: Arbitrary file deletion vulnerability have been identified in a system function of mobility conducto Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary files within the affected system and potentially result in denial-of-service conditions on aff

CVE-2025-37176 [HIGH] CWE-77 CVE-2025-37176: A command injection vulnerability in AOS-8 allows an authenticated privileged user to alter a packag A command injection vulnerability in AOS-8 allows an authenticated privileged user to alter a package header to inject shell commands, potentially affecting the execution of internal operations. Successful exploit could allow an authenticated malicious actor to execute commands with the privileges of the impacted mechanism.

CVE-2025-37172 [HIGH] CWE-78 CVE-2025-37172: Authenticated command injection vulnerabilities exist in the web-based management interface of mobil Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.

CVE-2025-37171 [HIGH] CWE-78 CVE-2025-37171: Authenticated command injection vulnerabilities exist in the web-based management interface of mobil Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.

CVE-2025-37170 [HIGH] CWE-78 CVE-2025-37170: Authenticated command injection vulnerabilities exist in the web-based management interface of mobil Authenticated command injection vulnerabilities exist in the web-based management interface of mobility conductors running AOS-8 operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.

CVE-2025-37173 [HIGH] CWE-20 CVE-2025-37173: An improper input handling vulnerability exists in the web-based management interface of mobility co An improper input handling vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor with valid credentials to trigger unintended behavior on the affected system.

CVE-2025-37169 [HIGH] CWE-787 CVE-2025-37169: A stack overflow vulnerability exists in the AOS-10 web-based management interface of a Mobility Gat A stack overflow vulnerability exists in the AOS-10 web-based management interface of a Mobility Gateway. Successful exploitation could allow an authenticated malicious actor to execute arbitrary code as a privileged user on the underlying operating system.

CVE-2025-37174 [HIGH] CWE-277 CVE-2025-37174: Authenticated arbitrary file write vulnerability exists in the web-based management interface of mob Authenticated arbitrary file write vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to create or modify arbitrary files and execute arbitrary commands as a privileged user on the underlying operating s

CVE-2025-37178 [HIGH] CWE-125 CVE-2025-37178: Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for ha Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential d

CVE-2025-37175 [HIGH] CWE-434 CVE-2025-37175: Arbitrary file upload vulnerability exists in the web-based management interface of mobility conduct Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary commands on the underlying operating system.

CVE-2025-37179 [MEDIUM] CWE-125 CVE-2025-37179: Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for ha Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this can result in a crash of the affected process and a potential

CVE-2025-37177 [MEDIUM] CWE-552 CVE-2025-37177: An arbitrary file deletion vulnerability has been identified in the command-line interface of mobili An arbitrary file deletion vulnerability has been identified in the command-line interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation of this vulnerability could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.

CVE-2025-37146 [HIGH] CWE-77 CVE-2025-37146: A vulnerability in the web-based management interface of network access point configuration services A vulnerability in the web-based management interface of network access point configuration services could allow an authenticated remote attacker to perform remote command execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.

CVE-2025-37132 [HIGH] CWE-434 CVE-2025-37132: An arbitrary file write vulnerability exists in the web-based management interface of both the AOS-1 An arbitrary file write vulnerability exists in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files and execute arbitrary commands on the underlying operating system.

CVE-2025-37147 [HIGH] CWE-290 CVE-2025-37147: A Secure Boot Bypass Vulnerability exists in affected Access Points that allows an adversary to bypa A Secure Boot Bypass Vulnerability exists in affected Access Points that allows an adversary to bypass the hardware root of trust verification in place to ensure only vendor-signed firmware can execute on the device. An adversary can exploit this vulnerability to run modified or custom firmware on affected Access Points.

CVE-2025-37133 [HIGH] CWE-77 CVE-2025-37133: An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mob An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.

CVE-2025-37134 [HIGH] CWE-77 CVE-2025-37134: An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mob An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.

CVE-2025-37135 [MEDIUM] CWE-284 CVE-2025-37135: Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.

CVE-2025-37141 [MEDIUM] CWE-284 CVE-2025-37141: Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mo Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.

CVE-2025-37138 [MEDIUM] CWE-77 CVE-2025-37138: An authenticated command injection vulnerability exists in the command line interface binary of AOS- An authenticated command injection vulnerability exists in the command line interface binary of AOS-10 GW and AOS-8 Controllers/Mobility Conductor operating system. Exploitation of this vulnerability requires physical access to the hardware controllers. A successful attack could allow an authenticated malicious actor with physical access to execute a