CVE-2025-37143 is an arbitrary file download vulnerability identified in Hewlett Packard Enterprise's ArubaOS (AOS) versions 8.10.0.0, 8.12.0.0, 8.13.0.0, 10.4.0.0, and 10.7.0.0. The flaw resides in the web-based management interface of AOS-10 Gateways and AOS-8 Controllers/Mobility Conductors, which are critical components in enterprise wireless and wired network infrastructure. An authenticated attacker with high privileges can exploit this vulnerability by crafting specific requests that trick the system into disclosing arbitrary files stored on the device. This can lead to unauthorized disclosure of sensitive configuration files, credentials, or other confidential data stored on the device. The vulnerability does not allow modification or deletion of files, nor does it impact system availability. Exploitation requires no user interaction but does require valid authentication, limiting the attacker to insiders or those who have compromised legitimate accounts. The CVSS 3.1 base score is 4.9 (medium), reflecting the network attack vector, low attack complexity, high privileges required, no user interaction, and high confidentiality impact. No public exploits or active exploitation have been reported yet. The vulnerability was reserved in April 2025 and published in October 2025, but no official patches or mitigations have been linked at this time. ArubaOS is widely deployed in enterprise environments for managing wireless access points and network controllers, making this vulnerability relevant for organizations relying on HPE Aruba networking solutions.

The primary impact of CVE-2025-37143 is unauthorized disclosure of sensitive information from affected ArubaOS devices. Confidentiality is compromised as attackers can download arbitrary files, potentially exposing network configurations, credentials, or other sensitive data. This could facilitate further attacks such as lateral movement, privilege escalation, or targeted espionage. Integrity and availability are not directly affected. For European organizations, especially those in critical infrastructure, finance, government, and large enterprises using ArubaOS controllers, this vulnerability poses a risk to network security and data privacy. Exposure of sensitive configuration files could undermine network defenses and compliance with GDPR and other data protection regulations. The requirement for authenticated access reduces the risk from external attackers but raises concerns about insider threats or compromised credentials. The absence of known exploits in the wild currently limits immediate risk, but the vulnerability should be addressed proactively to prevent future exploitation.

1. Apply official patches or updates from Hewlett Packard Enterprise as soon as they become available to address CVE-2025-37143. 2. Restrict access to the ArubaOS web-based management interface to trusted administrative networks using network segmentation and firewall rules. 3. Enforce strong multi-factor authentication (MFA) for all users accessing the management interface to reduce the risk of credential compromise. 4. Regularly audit and monitor access logs for unusual file download activities or anomalous behavior indicative of exploitation attempts. 5. Limit the number of users with high privilege accounts and review permissions to ensure least privilege principles are followed. 6. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned to detect suspicious requests targeting the management interface. 7. Educate administrators on the risks of credential theft and encourage secure password practices. 8. If possible, disable or isolate management interfaces from internet-facing networks to minimize exposure. 9. Maintain up-to-date backups of device configurations to enable recovery if compromise occurs. 10. Coordinate with HPE support for guidance and early access to patches or workarounds.