CVE-2025-37161 is a vulnerability identified in the web-based management interface of Hewlett Packard Enterprise's Aruba Networking 100 Series Cellular Bridge devices, specifically affecting version 10.7.0.0. The flaw allows an unauthenticated remote attacker to trigger a denial of service (DoS) condition by crashing the device. The attack vector is network-based and does not require any authentication or user interaction, making exploitation straightforward for an attacker with network access. Upon successful exploitation, the device crashes and cannot reboot automatically, necessitating manual intervention to restore functionality. This results in significant disruption to network operations, particularly where these devices serve as critical cellular bridges for connectivity. The vulnerability does not impact confidentiality or integrity but severely affects availability. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of exploitation and the critical impact on availability. No known public exploits have been reported yet, but the potential for disruption in enterprise and industrial environments is substantial. The vulnerability was published on November 18, 2025, with the initial reservation date in April 2025. No patches were linked at the time of reporting, emphasizing the need for vigilance and interim mitigations.

For European organizations, this vulnerability poses a significant risk to network availability, especially for those relying on HPE Aruba 100 Series Cellular Bridges to maintain cellular connectivity in remote or critical environments. Disruption caused by a DoS attack could halt essential communications, impacting operational technology, emergency services, or business continuity. The inability of the device to reboot automatically increases downtime and operational costs due to required manual intervention. Industries such as telecommunications, utilities, transportation, and public safety, which often deploy such bridging devices, may face severe operational disruptions. Additionally, the lack of authentication requirement means attackers can exploit the vulnerability from anywhere with network access, increasing the threat surface. This could lead to cascading failures in network infrastructure, affecting dependent systems and services across multiple sectors.

Organizations should immediately inventory their network to identify any deployed HPE Aruba 100 Series Cellular Bridge devices running version 10.7.0.0. Until a vendor patch is available, network segmentation should be enforced to isolate these devices from untrusted networks, limiting exposure to potential attackers. Access to the management interface should be restricted using firewall rules, VPNs, or zero-trust network access solutions to ensure only authorized personnel can reach the device interfaces. Monitoring network traffic for unusual activity targeting these devices can provide early detection of exploitation attempts. Implementing redundancy in network paths and failover mechanisms can reduce the impact of device downtime. Once HPE releases patches or firmware updates addressing this vulnerability, organizations must prioritize timely deployment. Additionally, consider disabling or limiting web-based management interfaces if not required or replacing affected devices with more secure alternatives in critical environments.