CVE-2025-37158 identifies a command injection vulnerability in Hewlett Packard Enterprise's Aruba Networking AOS-CX operating system, specifically affecting versions 10.10.0000 through 10.16.0000. The flaw allows an authenticated remote attacker to inject and execute arbitrary OS commands on the device, resulting in remote code execution (RCE). The vulnerability stems from improper input validation or sanitization in command processing components of the AOS-CX OS, categorized under CWE-78 (OS Command Injection). Exploitation requires the attacker to have network-level access to the device and be authenticated, but does not require user interaction. The attack complexity is high, indicating that exploitation may require specific conditions or knowledge. The CVSS v3.1 base score is 6.7, reflecting a medium severity with high impact on confidentiality and integrity, but no impact on availability. This vulnerability could allow attackers to compromise network infrastructure devices, potentially leading to unauthorized data access, manipulation of network traffic, or further lateral movement within an enterprise network. No public exploits or patches are currently available, emphasizing the need for vigilance and proactive mitigation by affected organizations.

The primary impact of CVE-2025-37158 is the potential for remote code execution on critical network infrastructure devices running HPE Aruba AOS-CX. Successful exploitation could lead to unauthorized access to sensitive network configurations and data, manipulation or interception of network traffic, and disruption of network security controls. Although availability is not directly impacted, the compromise of network devices can indirectly affect network stability and service reliability. The confidentiality and integrity of enterprise networks are at risk, especially in environments relying heavily on Aruba AOS-CX for core switching and routing functions. Attackers gaining control over these devices could establish persistent footholds, conduct reconnaissance, or pivot to other internal systems. The medium CVSS score reflects the requirement for authentication and high attack complexity, which somewhat limits the threat scope but does not eliminate risk, particularly in large organizations with many administrators or complex network topologies.

Organizations should immediately review and tighten authentication mechanisms for HPE Aruba AOS-CX devices, ensuring strong, unique credentials and limiting administrative access to trusted personnel only. Network segmentation should be enforced to restrict access to management interfaces from untrusted networks. Implement strict access control lists (ACLs) and monitoring on management VLANs to detect anomalous command execution or login attempts. Employ network intrusion detection and prevention systems (IDS/IPS) with signatures tuned for command injection patterns. Regularly audit device configurations and logs for signs of compromise or unauthorized changes. Until official patches are released, consider temporarily disabling remote management features or restricting them to secure management networks. Engage with HPE support channels to obtain updates on patch availability and apply them promptly once released. Additionally, conduct security awareness training for administrators to recognize phishing or social engineering attempts that could lead to credential compromise.