CVE-2025-37133 identifies an authenticated command injection vulnerability within the CLI binary of Hewlett Packard Enterprise's ArubaOS (AOS) Controller and Mobility Conductor operating systems. This vulnerability affects multiple versions, including 8.10.0.0, 8.12.0.0, 8.13.0.0, 10.4.0.0, and 10.7.0.0. The root cause is improper input validation in the command-line interface, classified under CWE-77 (Improper Neutralization of Special Elements used in a Command). An attacker with valid credentials can exploit this flaw to execute arbitrary commands with elevated privileges on the underlying OS, potentially leading to full system compromise. The CVSS 3.1 base score is 7.2, reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability's nature makes it a significant risk for environments relying on ArubaOS for network management and mobility control. The lack of available patches at the time of disclosure necessitates immediate risk mitigation through access controls and monitoring.

For European organizations, this vulnerability poses a critical risk to network infrastructure security, especially those deploying HPE ArubaOS Controllers and Mobility Conductors. Successful exploitation can lead to unauthorized command execution with privileged access, enabling attackers to manipulate network configurations, intercept or disrupt traffic, deploy persistent malware, or cause denial of service. This could severely impact sectors such as telecommunications, finance, government, and critical infrastructure, where ArubaOS devices are commonly used. The compromise of network controllers can cascade into broader network outages or data breaches, affecting confidentiality, integrity, and availability of sensitive information and services. Given the high adoption of HPE networking equipment in Europe, the threat could disrupt business continuity and regulatory compliance, particularly under GDPR and NIS Directive requirements.

Organizations should immediately review and restrict access to ArubaOS CLI interfaces, ensuring only trusted administrators have authenticated access. Implement network segmentation and strong authentication mechanisms such as multi-factor authentication for management interfaces. Monitor logs and command execution patterns for anomalies indicative of exploitation attempts. Since no patches are currently available, consider temporary compensating controls like disabling unnecessary CLI commands or interfaces where feasible. Maintain up-to-date inventories of affected ArubaOS versions and subscribe to HPE security advisories for timely patch releases. Conduct penetration testing and vulnerability assessments focused on ArubaOS devices to identify potential exploitation. Additionally, enforce strict change management and incident response plans tailored to network infrastructure compromise scenarios.