Refine your search
10 vulnerabilities found for HPE Aruba Networking AOS-CX by Hewlett Packard Enterprise (HPE)
CVE-2025-37160 (GCVE-0-2025-37160)
Vulnerability from nvd
Published
2025-11-18 18:54
Modified
2025-11-18 20:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE Aruba Networking AOS-CX |
Version: 10.16.0000 ≤ 10.16.1000 Version: 10.15.0000 ≤ 10.15.1020 Version: 10.14.0000 ≤ 10.14.1050 Version: 10.13.0000 ≤ 10.13.1090 Version: 10.10.0000 ≤ 10.10.1160 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:56:16.719220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:56:20.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "HPE Aruba Networking AOS-CX",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "10.16.1000",
"status": "affected",
"version": "10.16.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.15.1020",
"status": "affected",
"version": "10.15.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.14.1050",
"status": "affected",
"version": "10.14.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.13.1090",
"status": "affected",
"version": "10.13.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.10.1160",
"status": "affected",
"version": "10.10.0000",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "dugisan3rd"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data.\u003c/p\u003e"
}
],
"value": "A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T18:54:09.908Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us\u0026docLocale=en_US"
}
],
"source": {
"advisory": "HPESBNW04888",
"discovery": "INTERNAL"
},
"title": "Authenticated Broken Access Control (BAC) in REST API Configuration Service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37160",
"datePublished": "2025-11-18T18:54:09.908Z",
"dateReserved": "2025-04-16T01:28:25.374Z",
"dateUpdated": "2025-11-18T20:56:20.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37159 (GCVE-0-2025-37159)
Vulnerability from nvd
Published
2025-11-18 18:52
Modified
2025-11-19 04:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE Aruba Networking AOS-CX |
Version: 10.16.0000 ≤ 10.16.1000 Version: 10.15.0000 ≤ 10.15.1020 Version: 10.14.0000 ≤ 10.14.1050 Version: 10.13.0000 ≤ 10.13.1090 Version: 10.10.0000 ≤ 10.10.1160 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37159",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T04:55:34.559Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "HPE Aruba Networking AOS-CX",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "10.16.1000",
"status": "affected",
"version": "10.16.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.15.1020",
"status": "affected",
"version": "10.15.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.14.1050",
"status": "affected",
"version": "10.14.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.13.1090",
"status": "affected",
"version": "10.13.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.10.1160",
"status": "affected",
"version": "10.10.0000",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0x50d"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data.\u003c/p\u003e"
}
],
"value": "A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T18:52:46.501Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us\u0026docLocale=en_US"
}
],
"source": {
"advisory": "HPESBNW04888",
"discovery": "INTERNAL"
},
"title": "Authenticated Session Hijacking Allows Unauthorized Access in Network Switching Software",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37159",
"datePublished": "2025-11-18T18:52:46.501Z",
"dateReserved": "2025-04-16T01:28:25.370Z",
"dateUpdated": "2025-11-19T04:55:34.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37158 (GCVE-0-2025-37158)
Vulnerability from nvd
Published
2025-11-18 18:51
Modified
2025-11-19 04:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE Aruba Networking AOS-CX |
Version: 10.16.0000 ≤ 10.16.1000 Version: 10.15.0000 ≤ 10.15.1020 Version: 10.14.0000 ≤ 10.14.1050 Version: 10.13.0000 ≤ 10.13.1090 Version: 10.10.0000 ≤ 10.10.1160 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T04:55:35.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "HPE Aruba Networking AOS-CX",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "10.16.1000",
"status": "affected",
"version": "10.16.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.15.1020",
"status": "affected",
"version": "10.15.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.14.1050",
"status": "affected",
"version": "10.14.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.13.1090",
"status": "affected",
"version": "10.13.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.10.1160",
"status": "affected",
"version": "10.10.0000",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "zzcentury from Ubisetech Sirius Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system.\u003c/p\u003e"
}
],
"value": "A command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T18:51:28.623Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us\u0026docLocale=en_US"
}
],
"source": {
"advisory": "HPESBNW04888",
"discovery": "INTERNAL"
},
"title": "Authenticated Command Injection allows Unauthorized Command Execution in AOS-CX",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37158",
"datePublished": "2025-11-18T18:51:28.623Z",
"dateReserved": "2025-04-16T01:28:25.370Z",
"dateUpdated": "2025-11-19T04:55:35.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37156 (GCVE-0-2025-37156)
Vulnerability from nvd
Published
2025-11-18 18:46
Modified
2025-11-18 20:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A platform-level denial-of-service (DoS) vulnerability exists in ArubaOS-CX software. Successful exploitation of this vulnerability could allow an attacker with administrative access to execute specific code that renders the switch non-bootable and effectively non-functional.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE Aruba Networking AOS-CX |
Version: 10.16.0000 ≤ 10.16.1000 Version: 10.15.0000 ≤ 10.15.1020 Version: 10.14.0000 ≤ 10.14.1050 Version: 10.13.0000 ≤ 10.13.1090 Version: 10.10.0000 ≤ 10.10.1160 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37156",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:12:58.972214Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:28:30.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "HPE Aruba Networking AOS-CX",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "10.16.1000",
"status": "affected",
"version": "10.16.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.15.1020",
"status": "affected",
"version": "10.15.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.14.1050",
"status": "affected",
"version": "10.14.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.13.1090",
"status": "affected",
"version": "10.13.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.10.1160",
"status": "affected",
"version": "10.10.0000",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Nicholas Starke"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA platform-level denial-of-service (DoS) vulnerability exists in ArubaOS-CX software. Successful exploitation of this vulnerability could allow an attacker with administrative access to execute specific code that renders the switch non-bootable and effectively non-functional.\u003c/p\u003e"
}
],
"value": "A platform-level denial-of-service (DoS) vulnerability exists in ArubaOS-CX software. Successful exploitation of this vulnerability could allow an attacker with administrative access to execute specific code that renders the switch non-bootable and effectively non-functional."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T18:46:10.640Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us\u0026docLocale=en_US"
}
],
"source": {
"advisory": "HPESBNW04888",
"discovery": "INTERNAL"
},
"title": "ArubaOS-CX Platform-Level Denial-of-Service Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37156",
"datePublished": "2025-11-18T18:46:10.640Z",
"dateReserved": "2025-04-16T01:28:25.370Z",
"dateUpdated": "2025-11-18T20:28:30.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37155 (GCVE-0-2025-37155)
Vulnerability from nvd
Published
2025-11-18 18:40
Modified
2025-11-19 04:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE Aruba Networking AOS-CX |
Version: 10.16.0000 ≤ 10.16.1000 Version: 10.15.0000 ≤ 10.15.1020 Version: 10.14.0000 ≤ 10.14.1050 Version: 10.13.0000 ≤ 10.13.1090 Version: 10.10.0000 ≤ 10.10.1160 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T04:55:36.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "HPE Aruba Networking AOS-CX",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "10.16.1000",
"status": "affected",
"version": "10.16.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.15.1020",
"status": "affected",
"version": "10.15.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.14.1050",
"status": "affected",
"version": "10.14.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.13.1090",
"status": "affected",
"version": "10.13.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.10.1160",
"status": "affected",
"version": "10.10.0000",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Angelo Catalani"
},
{
"lang": "en",
"type": "reporter",
"value": "Giacomo Gloria"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system.\u003c/p\u003e"
}
],
"value": "A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T18:40:40.560Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us\u0026docLocale=en_US"
}
],
"source": {
"advisory": "HPESBNW04888",
"discovery": "EXTERNAL"
},
"title": "Authenticated Privilege Escalation Allows Unauthorized Access in Network Management Interface",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37155",
"datePublished": "2025-11-18T18:40:40.560Z",
"dateReserved": "2025-04-16T01:28:25.369Z",
"dateUpdated": "2025-11-19T04:55:36.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37160 (GCVE-0-2025-37160)
Vulnerability from cvelistv5
Published
2025-11-18 18:54
Modified
2025-11-18 20:56
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE Aruba Networking AOS-CX |
Version: 10.16.0000 ≤ 10.16.1000 Version: 10.15.0000 ≤ 10.15.1020 Version: 10.14.0000 ≤ 10.14.1050 Version: 10.13.0000 ≤ 10.13.1090 Version: 10.10.0000 ≤ 10.10.1160 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37160",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:56:16.719220Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:56:20.675Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "HPE Aruba Networking AOS-CX",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "10.16.1000",
"status": "affected",
"version": "10.16.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.15.1020",
"status": "affected",
"version": "10.15.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.14.1050",
"status": "affected",
"version": "10.14.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.13.1090",
"status": "affected",
"version": "10.13.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.10.1160",
"status": "affected",
"version": "10.10.0000",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "dugisan3rd"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data.\u003c/p\u003e"
}
],
"value": "A broken access control (BAC) vulnerability in the web-based management interface could allow an authenticated remote attacker with low privileges to view sensitive information. Successful exploitation of this vulnerability could enable the attacker to disclose sensitive data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T18:54:09.908Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us\u0026docLocale=en_US"
}
],
"source": {
"advisory": "HPESBNW04888",
"discovery": "INTERNAL"
},
"title": "Authenticated Broken Access Control (BAC) in REST API Configuration Service",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37160",
"datePublished": "2025-11-18T18:54:09.908Z",
"dateReserved": "2025-04-16T01:28:25.374Z",
"dateUpdated": "2025-11-18T20:56:20.675Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37159 (GCVE-0-2025-37159)
Vulnerability from cvelistv5
Published
2025-11-18 18:52
Modified
2025-11-19 04:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE Aruba Networking AOS-CX |
Version: 10.16.0000 ≤ 10.16.1000 Version: 10.15.0000 ≤ 10.15.1020 Version: 10.14.0000 ≤ 10.14.1050 Version: 10.13.0000 ≤ 10.13.1090 Version: 10.10.0000 ≤ 10.10.1160 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37159",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-384",
"description": "CWE-384 Session Fixation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T04:55:34.559Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "HPE Aruba Networking AOS-CX",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "10.16.1000",
"status": "affected",
"version": "10.16.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.15.1020",
"status": "affected",
"version": "10.15.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.14.1050",
"status": "affected",
"version": "10.14.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.13.1090",
"status": "affected",
"version": "10.13.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.10.1160",
"status": "affected",
"version": "10.10.0000",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0x50d"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data.\u003c/p\u003e"
}
],
"value": "A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T18:52:46.501Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us\u0026docLocale=en_US"
}
],
"source": {
"advisory": "HPESBNW04888",
"discovery": "INTERNAL"
},
"title": "Authenticated Session Hijacking Allows Unauthorized Access in Network Switching Software",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37159",
"datePublished": "2025-11-18T18:52:46.501Z",
"dateReserved": "2025-04-16T01:28:25.370Z",
"dateUpdated": "2025-11-19T04:55:34.559Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37158 (GCVE-0-2025-37158)
Vulnerability from cvelistv5
Published
2025-11-18 18:51
Modified
2025-11-19 04:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE Aruba Networking AOS-CX |
Version: 10.16.0000 ≤ 10.16.1000 Version: 10.15.0000 ≤ 10.15.1020 Version: 10.14.0000 ≤ 10.14.1050 Version: 10.13.0000 ≤ 10.13.1090 Version: 10.10.0000 ≤ 10.10.1160 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37158",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T04:55:35.219Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "HPE Aruba Networking AOS-CX",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "10.16.1000",
"status": "affected",
"version": "10.16.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.15.1020",
"status": "affected",
"version": "10.15.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.14.1050",
"status": "affected",
"version": "10.14.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.13.1090",
"status": "affected",
"version": "10.13.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.10.1160",
"status": "affected",
"version": "10.10.0000",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "zzcentury from Ubisetech Sirius Team"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system.\u003c/p\u003e"
}
],
"value": "A command injection vulnerability exists in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct a Remote Code Execution (RCE) on the affected system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T18:51:28.623Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us\u0026docLocale=en_US"
}
],
"source": {
"advisory": "HPESBNW04888",
"discovery": "INTERNAL"
},
"title": "Authenticated Command Injection allows Unauthorized Command Execution in AOS-CX",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37158",
"datePublished": "2025-11-18T18:51:28.623Z",
"dateReserved": "2025-04-16T01:28:25.370Z",
"dateUpdated": "2025-11-19T04:55:35.219Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37156 (GCVE-0-2025-37156)
Vulnerability from cvelistv5
Published
2025-11-18 18:46
Modified
2025-11-18 20:28
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A platform-level denial-of-service (DoS) vulnerability exists in ArubaOS-CX software. Successful exploitation of this vulnerability could allow an attacker with administrative access to execute specific code that renders the switch non-bootable and effectively non-functional.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE Aruba Networking AOS-CX |
Version: 10.16.0000 ≤ 10.16.1000 Version: 10.15.0000 ≤ 10.15.1020 Version: 10.14.0000 ≤ 10.14.1050 Version: 10.13.0000 ≤ 10.13.1090 Version: 10.10.0000 ≤ 10.10.1160 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37156",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T20:12:58.972214Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T20:28:30.645Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "HPE Aruba Networking AOS-CX",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "10.16.1000",
"status": "affected",
"version": "10.16.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.15.1020",
"status": "affected",
"version": "10.15.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.14.1050",
"status": "affected",
"version": "10.14.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.13.1090",
"status": "affected",
"version": "10.13.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.10.1160",
"status": "affected",
"version": "10.10.0000",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Nicholas Starke"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA platform-level denial-of-service (DoS) vulnerability exists in ArubaOS-CX software. Successful exploitation of this vulnerability could allow an attacker with administrative access to execute specific code that renders the switch non-bootable and effectively non-functional.\u003c/p\u003e"
}
],
"value": "A platform-level denial-of-service (DoS) vulnerability exists in ArubaOS-CX software. Successful exploitation of this vulnerability could allow an attacker with administrative access to execute specific code that renders the switch non-bootable and effectively non-functional."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T18:46:10.640Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us\u0026docLocale=en_US"
}
],
"source": {
"advisory": "HPESBNW04888",
"discovery": "INTERNAL"
},
"title": "ArubaOS-CX Platform-Level Denial-of-Service Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37156",
"datePublished": "2025-11-18T18:46:10.640Z",
"dateReserved": "2025-04-16T01:28:25.370Z",
"dateUpdated": "2025-11-18T20:28:30.645Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-37155 (GCVE-0-2025-37155)
Vulnerability from cvelistv5
Published
2025-11-18 18:40
Modified
2025-11-19 04:55
Severity ?
VLAI Severity ?
EPSS score ?
Summary
A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Hewlett Packard Enterprise (HPE) | HPE Aruba Networking AOS-CX |
Version: 10.16.0000 ≤ 10.16.1000 Version: 10.15.0000 ≤ 10.15.1020 Version: 10.14.0000 ≤ 10.14.1050 Version: 10.13.0000 ≤ 10.13.1090 Version: 10.10.0000 ≤ 10.10.1160 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-37155",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T04:55:36.599Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "HPE Aruba Networking AOS-CX",
"vendor": "Hewlett Packard Enterprise (HPE)",
"versions": [
{
"lessThanOrEqual": "10.16.1000",
"status": "affected",
"version": "10.16.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.15.1020",
"status": "affected",
"version": "10.15.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.14.1050",
"status": "affected",
"version": "10.14.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.13.1090",
"status": "affected",
"version": "10.13.0000",
"versionType": "semver"
},
{
"lessThanOrEqual": "10.10.1160",
"status": "affected",
"version": "10.10.0000",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Angelo Catalani"
},
{
"lang": "en",
"type": "reporter",
"value": "Giacomo Gloria"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eA vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system.\u003c/p\u003e"
}
],
"value": "A vulnerability in the SSH restricted shell interface of the network management services allows improper access control for authenticated read-only users. If successfully exploited, this vulnerability could allow an attacker with read-only privileges to gain administrator access on the affected system."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T18:40:40.560Z",
"orgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"shortName": "hpe"
},
"references": [
{
"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us\u0026docLocale=en_US"
}
],
"source": {
"advisory": "HPESBNW04888",
"discovery": "EXTERNAL"
},
"title": "Authenticated Privilege Escalation Allows Unauthorized Access in Network Management Interface",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "eb103674-0d28-4225-80f8-39fb86215de0",
"assignerShortName": "hpe",
"cveId": "CVE-2025-37155",
"datePublished": "2025-11-18T18:40:40.560Z",
"dateReserved": "2025-04-16T01:28:25.369Z",
"dateUpdated": "2025-11-19T04:55:36.599Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}