High-Severity Flaws in HPE Aruba Networking Expose Mobility Controllers to Attack

HPE Aruba Networking has released a critical security advisory patching a swarm of vulnerabilities across its AOS-8 and AOS-10 operating systems. The flaws, which affect Mobility Conductors, Controllers, and Gateways, range from authenticated command injection to a high-severity bug that allows unauthenticated attackers to wipe files from the system.

The most alarming vulnerability in the batch, tracked as CVE-2025-37168, carries a CVSS score of 8.2 and poses a direct threat to system availability.

While many of the disclosed vulnerabilities require an attacker to have a valid login, CVE-2025-37168 breaks that rule. This Arbitrary File Deletion vulnerability affects the system function of Mobility Conductors specifically running AOS-8.

According to the advisory, “successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary files within the affected system”.

The impact of such an attack is immediate and disruptive. By deleting critical system files, an attacker can trigger a “denial-of-service condition,” effectively knocking the device offline or rendering it unstable. This flaw was discovered by researcher n3k via the company’s bug bounty program.

For attackers who do manage to get a foothold (or rogue insiders), the update patches several pathways to total system control.

• Stack Overflow in AOS-10 (CVE-2025-37169): A stack overflow in the web management interface allows an authenticated user to “execute arbitrary code as a privileged user” on the underlying OS.
• Command Injection in AOS-8 (CVE-2025-37170/71/72): Multiple command injection flaws allow authenticated attackers to run commands as a privileged user.
• File Upload & Write (CVE-2025-37174/75): Affecting both AOS-8 and AOS-10, these flaws allow users to upload or modify files to achieve code execution.

A significant number of these high-severity findings were credited to researcher zzcentury from the Ubisectech Sirius Team.

HPE Aruba Networking has released patches for supported versions of AOS. Administrators should upgrade to the following versions immediately to close these security gaps:

• AOS-10.7.x.x: Upgrade to 10.7.2.2 or above
• AOS-10.4.x.x: Upgrade to 10.4.1.10 or above
• AOS-8.13.x.x: Upgrade to 8.13.1.1 or above
• AOS-8.10.x.x: Upgrade to 8.10.0.21 or above

The advisory includes a stark warning for organizations running older software. A long list of End of Maintenance (EOM) versions—including AOS-10.6, AOS-8.12, AOS-8.11, and SD-WAN 8.7—are affected by these vulnerabilities but will not receive patches. Users on these versions are effectively exposed indefinitely unless they upgrade to a supported branch.

For those unable to patch immediately, HPE advises restricting access to the CLI and web interfaces to a dedicated VLAN or using strict firewall policies as a temporary mitigation.

Related Posts:

• HPE Aruba Networking Addresses Security Vulnerabilities in AOS Systems
• HPE Aruba Networking Addresses Severe Vulnerabilities in Access Points
• CVSS 9.8 Vulnerabilities Expose Aruba Access Points to RCE: HPE Urges Immediate Action
• Aruba Networks fixes multiple vulnerabilities in Aruba Access Points
• HPE Aruba Networking Patches Critical Vulnerabilities in Access Points