- 234/2025
- High
Aruba has released security updates to fix several vulnerabilities across multiple HPE Aruba products.
The addressed vulnerabilities could allow the attacker to perform denial of service attacks, bypass security restrictions, manipulate files, or execute arbitrary code/commands and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. Unauthorized Filesystem Operations in System Firmware Remote Code Execution Vulnerability (CVE-2025-37146):
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Gain Access
2. Secure Boot Bypass allows for Compromise of Hardware Root of Trust Vulnerability (CVE-2025-37147):
- CVSS: 7.1
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Bypass Security
Sample of the affected products:
- HPE Aruba Networking Access Points running AOS-8 Instant.
- HPE Aruba Networking Access Points running AOS-10 AP.
- HPE Aruba Networking Mobility Conductor and Mobility Controllers.
- HPE Aruba Networking WLAN and SD-WAN Gateways Managed by HPE Aruba Networking Central.
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.