CVE-2025-37160 is a broken access control vulnerability identified in Hewlett Packard Enterprise's Aruba Networking AOS-CX operating system, specifically within its web-based management interface. The flaw allows an authenticated remote attacker with low privileges—meaning no administrative rights—to bypass access controls and view sensitive information that should otherwise be restricted. The vulnerability affects multiple versions of AOS-CX, including 10.10.0000 through 10.16.0000. The attack vector is network-based, requiring no user interaction, and can be executed remotely over the network. The vulnerability does not allow modification or deletion of data (no integrity or availability impact), but unauthorized disclosure of sensitive configuration or operational data could facilitate further attacks or reconnaissance. The CVSS v3.1 base score is 5.3, reflecting medium severity with attack vector as network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impact limited to confidentiality (C:L). No known exploits have been reported in the wild as of the published date. The vulnerability stems from improper enforcement of access control policies in the management interface, which should restrict sensitive data visibility based on user privilege level. This issue is critical to address in environments where low-privilege accounts exist or where the management interface is exposed to untrusted networks. Since Aruba AOS-CX is widely deployed in enterprise and service provider networks for switching infrastructure, exploitation could expose sensitive network configuration details, potentially aiding lateral movement or targeted attacks.

For European organizations, the primary impact of CVE-2025-37160 is the unauthorized disclosure of sensitive information through the compromised management interface of HPE Aruba AOS-CX switches. This could include network configuration details, credentials, or operational data that attackers can leverage for further intrusion or lateral movement within the network. While the vulnerability does not directly allow system control or denial of service, the exposure of sensitive data can undermine confidentiality and facilitate more severe attacks. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and critical infrastructure, could face regulatory and reputational consequences if sensitive network information is leaked. Additionally, attackers gaining insight into network topology and configurations may craft more effective targeted attacks or evade detection. The medium severity rating reflects the limited scope of impact but acknowledges the potential for significant downstream effects if exploited. European enterprises relying heavily on Aruba AOS-CX for their network infrastructure should consider this vulnerability a priority for remediation to maintain network security and compliance.

1. Monitor HPE’s official security advisories and apply patches or firmware updates as soon as they become available for the affected AOS-CX versions. 2. Restrict access to the web-based management interface by implementing network segmentation and firewall rules that limit management traffic to trusted administrative networks only. 3. Enforce strong authentication mechanisms for all users accessing the management interface, including multi-factor authentication (MFA) where supported. 4. Regularly audit user accounts and privileges to ensure that low-privilege accounts are minimized and monitored for suspicious activity. 5. Employ network monitoring and intrusion detection systems to detect anomalous access patterns to the management interface. 6. Consider disabling or restricting web-based management interfaces if alternative secure management methods (e.g., SSH with strict access controls) are available. 7. Conduct periodic security assessments and penetration testing focused on management interfaces to identify and remediate access control weaknesses proactively. 8. Educate network administrators about the risks of exposing management interfaces and best practices for secure configuration.