Cyber Resilience

CVE-2025-37178

Medium

Published: 13 January 2026

Published
13 January 2026
Modified
23 January 2026
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0006 18.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-37178 is a medium-severity Out-of-bounds Read (CWE-125) vulnerability in Arubanetworks Arubaos. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 18.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-39 (Process Isolation).

Deeper analysis

CVE-2025-37178 involves multiple out-of-bounds read vulnerabilities (CWE-125) in a system component responsible for handling certain data buffers. The flaws arise from insufficient validation of maximum buffer size values, allowing the process to attempt reads beyond the intended memory region under specific conditions. This can result in a crash of the affected process. The vulnerability carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) and was published on 2026-01-13T20:16:05.983.

Remote attackers without privileges can exploit the vulnerability over the network with low complexity and no user interaction required. By providing crafted input that bypasses buffer size checks, an attacker can trigger the out-of-bounds read, causing the affected process to crash and potentially leading to a denial-of-service condition limited to low availability impact with no confidentiality or integrity effects.

The HPE security bulletin provides further details on the issue, available at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04987en_us&docLocale=en_US.

EU & UK References

Vulnerability details

Multiple out-of-bounds read vulnerabilities were identified in a system component responsible for handling certain data buffers. Due to insufficient validation of maximum buffer size values, the process may attempt to read beyond the intended memory region. Under specific conditions, this…

more

can result in a crash of the affected process and a potential denial-of-service of the compromised process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Out-of-bounds read via crafted network input directly enables application/system crash for DoS (T1499.004 Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-37174Same product: Arubanetworks Arubaos
CVE-2025-37175Same product: Arubanetworks Arubaos
CVE-2026-23826Same product: Arubanetworks Arubaos
CVE-2025-37169Same product: Arubanetworks Arubaos
CVE-2025-37168Same product: Arubanetworks Arubaos
CVE-2025-37170Same product: Arubanetworks Arubaos
CVE-2025-37172Same product: Arubanetworks Arubaos
CVE-2025-37171Same product: Arubanetworks Arubaos
CVE-2025-37176Same product: Arubanetworks Arubaos
CVE-2025-37173Same product: Arubanetworks Arubaos

Affected Assets

arubanetworks
arubaos
8.6.0.0 — 8.10.0.21 · 8.11.0.0 — 8.13.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of input buffer size values to block the crafted data that triggers out-of-bounds reads.

preventdetect

Applies memory-access protections that can detect or block reads beyond allocated buffer regions.

prevent

Isolates the vulnerable process so an out-of-bounds read crash cannot affect other system components.

References