CVE-2025-37144 is an arbitrary file download vulnerability identified in Hewlett Packard Enterprise's ArubaOS (AOS) operating systems, specifically versions 8.10.0.0, 8.12.0.0, 8.13.0.0, 10.4.0.0, and 10.7.0.0. The flaw resides in a low-level interface library component of AOS-10 Gateway and AOS-8 Controller/Mobility Conductor platforms. Exploitation requires an attacker to be authenticated with high privileges, as indicated by the CVSS vector (PR:H), but does not require user interaction (UI:N). By leveraging carefully crafted requests, an attacker can download arbitrary files from the device, potentially exposing sensitive configuration files, credentials, or other confidential data stored on the system. The vulnerability does not affect the integrity or availability of the system, focusing primarily on confidentiality breach. The CVSS score of 4.9 (medium severity) reflects the moderate risk due to the authentication requirement and lack of direct impact on system operation. No public exploits have been reported at this time, but the vulnerability is publicly disclosed and should be addressed promptly. ArubaOS is widely used in enterprise wireless and network infrastructure, making this vulnerability relevant for organizations relying on HPE Aruba products for secure network management.

For European organizations, the primary impact of CVE-2025-37144 is the potential unauthorized disclosure of sensitive information stored on ArubaOS devices. This could include network configurations, security credentials, or other critical data that could facilitate further attacks or espionage. Confidentiality breaches could undermine compliance with GDPR and other data protection regulations, leading to legal and reputational consequences. While the vulnerability does not directly disrupt network availability or integrity, the exposure of sensitive files could enable attackers to escalate privileges or conduct lateral movement within networks. Organizations in sectors such as finance, telecommunications, government, and critical infrastructure that deploy ArubaOS devices are at heightened risk. The requirement for authenticated access somewhat limits the threat to insiders or attackers who have already compromised credentials, but the risk remains significant given the sensitive nature of the data accessible through this flaw.

To mitigate CVE-2025-37144, European organizations should take several specific actions beyond generic patching advice: 1) Immediately audit and restrict administrative access to ArubaOS devices, ensuring only trusted personnel have high-privilege accounts. 2) Implement multi-factor authentication (MFA) for all administrative access to reduce the risk of credential compromise. 3) Monitor logs and network traffic for unusual file download requests or access patterns indicative of exploitation attempts. 4) Segment ArubaOS management interfaces from general network access to limit exposure. 5) Apply vendor patches or firmware updates as soon as they become available from HPE. 6) Conduct regular security assessments and penetration tests focusing on network infrastructure devices to detect potential abuse of this vulnerability. 7) Educate administrators on the risks of arbitrary file download vulnerabilities and the importance of safeguarding credentials and access paths. These targeted measures will reduce the attack surface and help detect or prevent exploitation of this vulnerability.