CVE-2025-37168
Published: 13 January 2026
Summary
CVE-2025-37168 is a high-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Arubanetworks Arubaos. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through vendor patches directly eliminates the arbitrary file deletion vulnerability in the AOS-8 system function.
Enforces approved authorizations for access to system resources, preventing unauthenticated remote deletion of arbitrary files.
Limits permitted actions without identification or authentication, prohibiting unauthenticated access to the vulnerable file deletion function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated arbitrary file deletion directly enables T1190 exploitation of public-facing apps and facilitates T1070.004 file deletion or T1485 data destruction leading to DoS.
NVD Description
Arbitrary file deletion vulnerability have been identified in a system function of mobility conductors running AOS-8 operating system. Successful exploitation of this vulnerability could allow an unauthenticated remote malicious actor to delete arbitrary files within the affected system and potentially…
more
result in denial-of-service conditions on affected devices.
Deeper analysisAI
CVE-2025-37168 is an arbitrary file deletion vulnerability in a system function of mobility conductors running the AOS-8 operating system. Published on 2026-01-13, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L) and maps to CWE-552, which involves files or directories accessible to external parties.
An unauthenticated remote malicious actor can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows deletion of arbitrary files within the affected system, potentially leading to denial-of-service conditions on the devices.
The HPE security advisory provides details on mitigation and patches: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US.
Details
- CWE(s)