Cyber Resilience

CVE-2025-37173

High

Published: 13 January 2026

Published
13 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-37173 is a high-severity Improper Input Validation (CWE-20) vulnerability in Arubanetworks Arubaos. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2025-37173 is an improper input handling vulnerability (CWE-20) affecting the web-based management interface of mobility conductors running either the AOS-10 or AOS-8 operating systems. Published on 2026-01-13, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

The vulnerability can be exploited by an authenticated malicious actor possessing valid credentials. Exploitation is possible over the network with low attack complexity and without requiring user interaction, enabling the attacker to trigger unintended behavior on the affected system and achieve high confidentiality, integrity, and availability impacts.

Mitigation details are provided in the HPE security advisory at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US.

EU & UK References

Vulnerability details

An improper input handling vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor with valid credentials to trigger unintended behavior on the affected system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper input handling in authenticated web management interface directly enables remote exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-37169Same product: Arubanetworks Arubaos
CVE-2025-37170Same product: Arubanetworks Arubaos
CVE-2025-37172Same product: Arubanetworks Arubaos
CVE-2026-23825Same product: Arubanetworks Arubaos
CVE-2025-37171Same product: Arubanetworks Arubaos
CVE-2025-37176Same product: Arubanetworks Arubaos
CVE-2025-37174Same product: Arubanetworks Arubaos
CVE-2025-37175Same product: Arubanetworks Arubaos
CVE-2025-37168Same product: Arubanetworks Arubaos
CVE-2026-23827Same product: Arubanetworks Arubaos

Affected Assets

arubanetworks
arubaos
6.5.4.0 — 8.10.0.21 · 8.11.0.0 — 8.13.1.1 · 10.3.0.0 — 10.4.1.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and verification of inputs to the web management interface, preventing exploitation of the improper input handling flaw.

prevent

Restricts privileges of authenticated users on the mobility conductor, limiting the scope of unintended behavior that can be triggered via crafted inputs.

prevent

Enforces authorization checks on all management interface actions, reducing the ability of a valid account to induce high-impact unintended system behavior.

References