CVE-2025-37158: HPE ArubaOS-CX RCE Vulnerability

CVE-2025-37158 Overview

CVE-2025-37158 is a command injection vulnerability in the HPE Aruba AOS-CX Operating System. The flaw allows an authenticated remote attacker to execute arbitrary operating system commands on affected switches. Successful exploitation leads to Remote Code Execution (RCE) with the privileges of the underlying network operating system.

The issue is tracked under CWE-78, Improper Neutralization of Special Elements used in an OS Command. HPE has published advisory hpesbnw04888en_us documenting the affected versions and remediation.

Critical Impact

Authenticated attackers can achieve full Remote Code Execution on AOS-CX switches, compromising confidentiality, integrity, and availability of core network infrastructure.

Affected Products

• HPE Aruba Networking AOS-CX Operating System
• Aruba CX series switches running vulnerable AOS-CX firmware
• Network deployments exposing the AOS-CX management plane to authenticated users

Discovery Timeline

• 2025-11-18 - CVE-2025-37158 published to NVD
• 2025-12-04 - Last updated in NVD database

Technical Details for CVE-2025-37158

Vulnerability Analysis

The vulnerability resides in the AOS-CX operating system that powers HPE Aruba CX series switches. An authenticated user can supply crafted input to a command interface that passes data to an underlying shell or system call without proper sanitization. The injected operands are interpreted by the OS command processor, yielding arbitrary code execution.

Because the network attack vector requires only low privileges and no user interaction, any account with command-line or API access becomes a potential foothold. Successful exploitation compromises the switch control plane, allowing attackers to modify configurations, intercept traffic, pivot to adjacent management networks, or disable the device.

Root Cause

The root cause is improper neutralization of special elements used in an OS command ([CWE-78]). User-controlled input reaches a command execution function without sufficient validation, allowing metacharacters such as ;, |, &, or backticks to break out of the intended command context and append attacker-controlled instructions.

Attack Vector

Exploitation requires network reachability to the AOS-CX management interface and valid credentials. The attacker authenticates to the switch, then submits a malicious payload through a vulnerable command or API endpoint. The OS shell processes the injected commands with the privileges of the AOS-CX command handler, producing RCE on the switch.

No public proof-of-concept exploit is currently available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.054%, reflecting low predicted near-term exploitation activity.

No verified exploit code is available. Refer to the HPE Security Advisory for vendor-confirmed technical details.

Detection Methods for CVE-2025-37158

Indicators of Compromise

• Unexpected shell metacharacters (;, |, &&, backticks) appearing in AOS-CX command audit logs or REST API request bodies.
• Spawned child processes from the AOS-CX management daemon that do not match normal operator activity.
• New or modified switch configuration entries, user accounts, or SSH keys created outside change-control windows.
• Outbound connections from a switch management interface to unfamiliar external hosts.

Detection Strategies

• Enable AOS-CX command accounting and forward logs to a SIEM for review of authenticated CLI and REST API activity.
• Alert on command strings containing shell metacharacters submitted by non-administrative accounts.
• Correlate authentication events with subsequent configuration changes to identify suspicious sequences from a single session.

Monitoring Recommendations

• Centralize syslog from all AOS-CX devices and retain authentication, command, and configuration-change events.
• Baseline normal administrative activity per account and alert on deviations such as off-hours logins or unusual source IPs.
• Monitor management-plane interfaces for unexpected egress traffic that could indicate post-exploitation command and control.

How to Mitigate CVE-2025-37158

Immediate Actions Required

• Apply the fixed AOS-CX firmware versions identified in HPE advisory hpesbnw04888en_us as soon as possible.
• Audit all AOS-CX local and TACACS+/RADIUS accounts and remove unused or shared credentials.
• Restrict management-plane access to dedicated administrative subnets using ACLs and out-of-band management networks.
• Rotate credentials and SSH keys on any switch suspected of unauthorized access.

Patch Information

HPE has released firmware updates that address CVE-2025-37158. Customers should consult the HPE Security Advisory hpesbnw04888en_us for the complete list of affected AOS-CX versions and corresponding fixed releases, then schedule upgrades through standard change management.

Workarounds

• Limit AOS-CX CLI and REST API access to a small set of trusted administrator accounts protected with strong authentication.
• Enforce role-based access control so that operator-level accounts cannot reach the vulnerable command paths.
• Place switch management interfaces behind a jump host and block direct access from user VLANs and the internet.
• Enable command accounting and continuous log review until patched firmware is deployed.

# Configuration example: restrict AOS-CX management access
switch(config)# ssh server vrf mgmt
switch(config)# access-list ip mgmt-acl
switch(config-acl-ip)# 10 permit tcp 10.10.0.0/24 any eq ssh
switch(config-acl-ip)# 20 deny tcp any any eq ssh
switch(config)# interface mgmt
switch(config-if-mgmt)# ip access-group mgmt-acl in