CVE-2025-37173
Published: 13 January 2026
Summary
CVE-2025-37173 is a high-severity Improper Input Validation (CWE-20) vulnerability in Arubanetworks Arubaos. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-37173 is an improper input handling vulnerability (CWE-20) affecting the web-based management interface of mobility conductors running either the AOS-10 or AOS-8 operating systems. Published on 2026-01-13, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability can be exploited by an authenticated malicious actor possessing valid credentials. Exploitation is possible over the network with low attack complexity and without requiring user interaction, enabling the attacker to trigger unintended behavior on the affected system and achieve high confidentiality, integrity, and availability impacts.
Mitigation details are provided in the HPE security advisory at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2053
Vulnerability details
An improper input handling vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor with valid credentials to trigger unintended behavior on the affected system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper input handling in authenticated web management interface directly enables remote exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and verification of inputs to the web management interface, preventing exploitation of the improper input handling flaw.
Restricts privileges of authenticated users on the mobility conductor, limiting the scope of unintended behavior that can be triggered via crafted inputs.
Enforces authorization checks on all management interface actions, reducing the ability of a valid account to induce high-impact unintended system behavior.