CVE-2025-37145 identifies an arbitrary file download vulnerability in Hewlett Packard Enterprise's ArubaOS (AOS) operating systems, specifically affecting versions 8.10.0.0, 8.12.0.0, 8.13.0.0, 10.4.0.0, and 10.7.0.0. The flaw exists in a low-level interface library used by AOS-10 Gateways and AOS-8 Controller/Mobility Conductor devices. An attacker who is authenticated with high privileges can exploit this vulnerability by crafting specific requests that leverage the interface flaw to download arbitrary files from the system. This does not require user interaction but does require prior authentication with elevated rights, limiting the attack surface to insiders or compromised administrative accounts. The vulnerability impacts confidentiality by potentially exposing sensitive configuration files, credentials, or other critical data stored on the device. The CVSS v3.1 base score is 4.9, reflecting medium severity, with attack vector network (AV:N), low attack complexity (AC:L), high privileges required (PR:H), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity (I:N) or availability (A:N) impact. No public exploits or active exploitation have been reported to date. The vulnerability was reserved in April 2025 and published in October 2025, but no patch links are currently provided, indicating that remediation may be pending or in progress. ArubaOS is widely used in enterprise networking environments for wireless LAN controllers and mobility management, making this vulnerability relevant for organizations relying on HPE Aruba infrastructure.

For European organizations, the primary impact of CVE-2025-37145 is unauthorized disclosure of sensitive information stored on ArubaOS devices. This could include network configuration files, authentication credentials, or other proprietary data, potentially enabling further attacks or espionage. Confidentiality breaches can undermine trust, violate data protection regulations such as GDPR, and expose critical infrastructure details. Since exploitation requires high-privilege authentication, the threat is mainly from insider threats or attackers who have already compromised administrative credentials. The lack of integrity or availability impact limits the risk of service disruption or data tampering. However, the exposure of sensitive files could facilitate lateral movement or escalation in targeted attacks against European enterprises, especially those in sectors like finance, telecommunications, government, and critical infrastructure that commonly deploy ArubaOS solutions. The absence of known exploits reduces immediate risk but does not eliminate the need for vigilance and remediation.

1. Apply official patches or updates from Hewlett Packard Enterprise as soon as they become available to address the vulnerability directly. 2. Restrict administrative access to ArubaOS devices using network segmentation, VPNs, and strict access control lists to limit exposure to trusted personnel only. 3. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), for all administrative accounts to reduce the risk of credential compromise. 4. Regularly audit and monitor access logs on ArubaOS devices for unusual file download activities or access patterns indicative of exploitation attempts. 5. Implement network intrusion detection/prevention systems (IDS/IPS) with signatures or heuristics targeting suspicious requests to ArubaOS management interfaces. 6. Conduct periodic security training and awareness for administrators to recognize phishing or social engineering attempts that could lead to credential theft. 7. Maintain an inventory of all ArubaOS devices and their firmware versions to ensure timely identification and remediation of vulnerable systems. 8. Consider deploying compensating controls such as limiting file system access permissions on the devices if feasible until patches are applied.