HPE Aruba Networking Patches Sensitive Data Exposure Vulnerability in Private 5G Core Platform

HPE Aruba Networking has released a security update addressing a high-severity vulnerability in its Private 5G Core Platform that could allow unauthorized users to access sensitive information stored within system files. The vulnerability, tracked as CVE-2025-37100, has been assigned a CVSS score of 7.7, signaling a serious risk to confidentiality within enterprise environments.

According to the official advisory: “A vulnerability in the APIs of HPE Aruba Networking Private 5G Core could potentially expose sensitive information to unauthorized users.”

The vulnerability affects HPE Aruba Networking Private 5G Core software versions 1.24.1.0 through 1.25.1.0, and allows attackers to navigate the file system and download protected files if exploited.

“A successful exploitation could allow an attacker to iteratively navigate through the filesystem and ultimately download protected system files containing sensitive information,” the advisory explains.

Such a flaw could be leveraged to obtain confidential configuration data, authentication secrets, or logs that may aid in further compromise of the private 5G infrastructure.

As of the advisory’s publication date, there is no known exploitation or public proof-of-concept code in circulation.

Until the patch can be applied, HPE recommends a simple GUI-based mitigation:

Disable the ‘Terminal’ service by following the steps below:
1. On the upper bar of the GUI, click on System > Services.
2. Toggle the ‘Terminal’ service to disabled or click on the square button to stop the service.

Disabling this service reduces the attack surface and temporarily limits access to vulnerable functionality.

The vulnerability has been addressed in version 1.25.1.1 of the HPE Aruba Networking Private 5G Core software.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply