CVE-2025-37137 identifies arbitrary file deletion vulnerabilities within the command-line interface of Hewlett Packard Enterprise's ArubaOS (AOS), specifically affecting AOS-8 Controllers and Mobility Conductors. The affected versions include 8.10.0.0, 8.12.0.0, 8.13.0.0, 10.4.0.0, and 10.7.0.0. This vulnerability allows a remote attacker who has authenticated access with high privileges to delete arbitrary files on the affected system. The attack vector is network-based, requiring no user interaction but necessitating authentication, which implies that the attacker must already have valid credentials or have compromised an account with sufficient privileges. The deletion of arbitrary files can lead to significant integrity and availability issues, potentially causing system misconfigurations, denial of service, or disruption of network management functions. The vulnerability does not impact confidentiality directly, as there is no indication of data disclosure. The CVSS v3.1 base score of 6.5 reflects a medium severity rating, with attack vector network (AV:N), low attack complexity (AC:L), high privileges required (PR:H), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and high availability impact (A:H). No known exploits have been reported in the wild as of the published date. The vulnerability was reserved in April 2025 and published in October 2025, indicating recent discovery and disclosure. ArubaOS is widely used in enterprise wireless network infrastructure, making this vulnerability relevant to organizations relying on HPE Aruba products for network access control and mobility management.

For European organizations, exploitation of CVE-2025-37137 could result in deletion of critical configuration or system files on ArubaOS Controllers or Mobility Conductors, leading to network outages or degraded wireless service availability. This could disrupt business operations, especially in sectors relying heavily on wireless connectivity such as finance, healthcare, manufacturing, and public services. The integrity of network management systems could be compromised, potentially requiring time-consuming recovery or reconfiguration. Since the vulnerability requires authenticated access with high privileges, the primary risk vector involves insider threats or attackers who have already compromised privileged credentials. The impact on confidentiality is minimal, but the integrity and availability impacts are significant, potentially affecting large-scale wireless network deployments. Given the reliance on ArubaOS in many European enterprises and public sector networks, the threat could affect critical infrastructure and services, increasing operational risk and potential regulatory scrutiny under frameworks like GDPR if service disruptions affect personal data processing.

To mitigate CVE-2025-37137, European organizations should implement strict access controls to limit CLI access to ArubaOS Controllers and Mobility Conductors only to trusted administrators. Employ multi-factor authentication (MFA) for all privileged accounts to reduce the risk of credential compromise. Regularly audit and monitor privileged user activities and system logs for unusual file deletion or configuration changes. Network segmentation should be used to isolate management interfaces from general network access, reducing exposure to remote attackers. Until patches are available, consider disabling or restricting CLI commands that allow file deletion if feasible. Maintain up-to-date backups of device configurations and critical files to enable rapid recovery in case of exploitation. Engage with HPE support to obtain and apply security updates promptly once released. Additionally, conduct regular vulnerability assessments and penetration testing focused on network infrastructure devices to detect potential exploitation attempts early.