CVE-2025-37175
Published: 13 January 2026
Summary
CVE-2025-37175 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Arubanetworks Arubaos. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-37175 is an arbitrary file upload vulnerability (CWE-434) in the web-based management interface of mobility conductors running either the AOS-10 or AOS-8 operating systems. Published on January 13, 2026, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), reflecting high potential impacts on confidentiality, integrity, and availability.
An authenticated malicious actor with high privileges (PR:H) can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to upload arbitrary files as a privileged user and execute arbitrary commands on the underlying operating system.
The HPE security advisory provides details on mitigation and patches: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2069
Vulnerability details
Arbitrary file upload vulnerability exists in the web-based management interface of mobility conductors running either AOS-10 or AOS-8 operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files as a privilege user and execute arbitrary commands…
more
on the underlying operating system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file upload in a network-accessible web management interface directly enables exploitation of a public-facing application (T1190) to deploy a web shell (T1505.003) for OS command execution (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks arbitrary file uploads by enforcing validation of file types, content, and names before acceptance in the web management interface.
Limits the actions a high-privilege authenticated user can perform, reducing the ability to upload files or execute OS commands even after authentication.
Restricts or disables unnecessary web-interface functions such as unrestricted file upload that enable the arbitrary command execution path.