CVE-2025-37100 is a high-severity vulnerability affecting Hewlett Packard Enterprise's Aruba Networking Private 5G Core product, specifically version 1.24.1.0. The vulnerability resides in the product's APIs, which improperly handle filesystem navigation requests. This flaw allows an attacker with limited privileges (requiring some level of authentication but no user interaction) to iteratively traverse the filesystem beyond intended boundaries. By exploiting this directory traversal weakness (CWE-22) combined with improper access control (CWE-922), an attacker can access and download protected system files containing sensitive information. The vulnerability is remotely exploitable over the network (CVSS vector AV:N) with low attack complexity (AC:L), and it impacts confidentiality severely (C:H) without affecting integrity or availability. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component, potentially exposing sensitive data across the system. Although no known exploits are currently in the wild, the vulnerability's nature and severity make it a significant risk, especially in environments deploying private 5G networks where sensitive operational and user data may be stored or processed. The lack of a published patch at the time of disclosure increases the urgency for mitigation and monitoring.

For European organizations, the exploitation of this vulnerability could lead to unauthorized disclosure of sensitive information managed within private 5G core networks. This includes potentially critical operational data, user credentials, network configurations, and other protected system files. Given the increasing adoption of private 5G networks in sectors such as manufacturing, telecommunications, healthcare, and critical infrastructure across Europe, the confidentiality breach could result in intellectual property theft, regulatory non-compliance (e.g., GDPR violations), and erosion of trust with customers and partners. The exposure of sensitive data could also facilitate further attacks, including lateral movement or targeted espionage. Since the vulnerability does not impact integrity or availability directly, immediate service disruption is less likely; however, the long-term consequences of data leakage could be severe. Organizations relying on HPE Aruba Networking Private 5G Core for secure communications and network slicing may find their security posture significantly weakened if this vulnerability is exploited.

European organizations using HPE Aruba Networking Private 5G Core version 1.24.1.0 should immediately assess their exposure and implement compensating controls until an official patch is released. Specific recommendations include: 1) Restrict network access to the vulnerable APIs by implementing strict firewall rules and network segmentation to limit exposure only to trusted management networks. 2) Enforce strong authentication and authorization policies to minimize the risk posed by attackers with limited privileges. 3) Monitor API access logs for unusual filesystem navigation patterns or repeated unauthorized access attempts indicative of exploitation attempts. 4) Employ intrusion detection and prevention systems (IDPS) tuned to detect directory traversal and unauthorized file access behaviors. 5) Coordinate with HPE for timely updates and apply patches as soon as they become available. 6) Conduct internal audits of sensitive file permissions and ensure minimal necessary access rights are granted to system components. 7) Educate network and security teams about this vulnerability to improve incident response readiness. These targeted measures go beyond generic advice by focusing on access control, monitoring, and network-level protections specific to the vulnerable APIs and their operational context.