"Aruba AOS-CX CVE-2025-37155 & CVE-2025-37159: SSH Privilege Escalation and Session Hijacking"

HPE Aruba Networking has disclosed a set of vulnerabilities in AOS-CX, the operating system that runs its CX-series data center and campus switches. Most of the headlines went to the command-injection / remote-code-execution issues in the same advisory, but two flaws deserve attention on their own because of what they do in environments with more than one switch administrator: CVE-2025-37155, an SSH privilege-escalation issue, and CVE-2025-37159, a web-management session-hijacking issue.
This post focuses on those two CVEs, what they actually allow, and how to remediate them. Where a detail could not be confirmed from the vendor advisory or NVD, we say so rather than guess.
What happened
HPE Aruba Networking published security bulletin HPESBNW04888 covering multiple vulnerabilities in AOS-CX. Two of them are access-control problems rather than code-execution problems:
- CVE-2025-37155 is a flaw in the SSH restricted shell interface of the AOS-CX network management services. It allows improper access control for an authenticated read-only user, opening a path to escalate privileges toward administrator-level functions on the switch. It was reported by researchers from Italy's National Cybersecurity Agency (ACN).
- CVE-2025-37159 is a flaw in the web management interface of the AOS-CX user authentication service. It can allow an authenticated remote attacker to hijack an active user session, gaining access to the privileges of that session.
Both are authenticated vulnerabilities. An attacker needs some level of valid access first — a low-privilege account, harvested credentials, or a foothold on a host that can reach the management plane. That makes them most dangerous in multi-admin and shared-management environments, where read-only operators, contractors, or monitoring accounts are common.
Affected products and versions
The advisory applies to switches running AOS-CX, including the CX 8xxx, CX 9300, and CX 10000 families. According to the CVE records (NVD / CVE.org), both CVE-2025-37155 and CVE-2025-37159 affect the following AOS-CX software branches and version ranges:
| Product / branch | Affected | Fixed |
|---|---|---|
| AOS-CX 10.16.xxxx | 10.16.0000 through 10.16.1000 | Release above 10.16.1000 per HPESBNW04888 |
| AOS-CX 10.15.xxxx | 10.15.0000 through 10.15.1020 | Release above 10.15.1020 per HPESBNW04888 |
| AOS-CX 10.14.xxxx | 10.14.0000 through 10.14.1050 | Release above 10.14.1050 per HPESBNW04888 |
| AOS-CX 10.13.xxxx | 10.13.0000 through 10.13.1090 | Release above 10.13.1090 per HPESBNW04888 |
| AOS-CX 10.10.xxxx | 10.10.0000 through 10.10.1160 | Release above 10.10.1160 per HPESBNW04888 |
The CVE records define the affected ranges by their upper bound; the resolved release for each branch is the next maintenance build above that bound. Confirm the exact target build for your branch directly in HPESBNW04888 before scheduling the upgrade — the bulletin is the authoritative source for fixed versions, and AOS-CX branches not listed above (or that have reached end of support) should be validated against it as well.
How serious is it
These are meaningful but not maximum-severity issues, and the scores reflect that:
- CVE-2025-37155 — CVSS 3.1 base score 7.8 (High). Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. Classified as CWE-284 (Improper Access Control). A read-only operator who can reach the CLI can climb toward administrative control of the switch — full confidentiality, integrity, and availability impact once escalated. - CVE-2025-37159 — CVSS 3.1 base score 5.8 (Medium) per HPE as the CNA. Vector:
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N. Classified as CWE-384 (Session Fixation). NVD's secondary scoring rates it higher (7.3, High) using a network attack vector with low privileges. The practical risk is an attacker riding a legitimate admin's web session to read and change configuration.
On exploitation: at the time of disclosure there were no reports of public exploit code or active exploitation, and neither CVE-2025-37155 nor CVE-2025-37159 appears in the CISA Known Exploited Vulnerabilities (KEV) catalog as of this writing. That lowers the urgency relative to a KEV-listed flaw, but it does not remove the need to patch — these are real privilege boundaries being crossed, and they sit in the same advisory as critical RCE bugs that you will want to remediate anyway.
Am I exposed?
Work through these questions:
- Do you run AOS-CX switches? This affects the CX line (8xxx, 9300, 10000 families and other CX models running affected branches), not AOS-8 / AOS-10 gateways or controllers.
- What version is each switch on? Run
show versionon each switch and compare against the affected ranges above. Anything at or below the listed upper bound for its branch is affected. - Who can reach the management plane? Both flaws require an authenticated foothold. If read-only accounts, contractors, NMS/monitoring credentials, or shared logins can reach SSH or the web UI, your exposure to escalation and session hijacking is higher.
- Is management network-segmented? Switches whose CLI and web interfaces are reachable from general user VLANs or the broader network are easier to attack than those locked to an out-of-band management segment.
How to fix it
- Upgrade AOS-CX. Move each switch to the resolved release for its branch as listed in HPESBNW04888 (the next maintenance build above the affected upper bound for 10.10, 10.13, 10.14, 10.15, and 10.16). Patching is the only complete fix for both CVEs. If you are on a branch nearing end of support, plan to move to a supported, fixed branch.
- Restrict the management plane (interim mitigation). Until you can patch, limit who can reach the CLI and web UI. HPE's general guidance for AOS-CX is to restrict CLI and web-management access to a dedicated, isolated management segment (out-of-band where possible) and enforce it with ACLs or firewall policy.
- Tighten and review accounts. Audit read-only and service accounts, remove unused logins, rotate credentials, and avoid shared admin sessions in the web UI — the session-hijacking flaw specifically targets active sessions.
- Increase monitoring. Log and alert on administrative actions, privilege changes, and unusual management-interface activity so an escalation or hijack attempt is visible.
Because HPESBNW04888 also addresses critical command-injection / RCE issues in AOS-CX, treat the upgrade as a single remediation effort rather than patching these two CVEs in isolation.
How Uniqcli helps
Uniqcli is an authorized reseller of HPE, HPE Aruba Networking, and HPE Juniper Networking, and we support customers across US federal, SLED, healthcare, and enterprise environments. For this advisory we can:
- Assess your exposure — inventory your AOS-CX fleet, map installed versions against the affected ranges, and prioritize which switches need attention first.
- Plan and support the upgrade — identify the correct fixed AOS-CX release for each branch per HPESBNW04888 and help you stage maintenance windows with minimal disruption.
- Source patched or replacement hardware — if any switches are on end-of-support branches or hardware that can't reach a fixed release, we can quote current, supportable CX platforms.
- Procure the right way — TAA-compliant hardware through GSA and SEWP vehicles, so federal and SLED buyers stay within contract and compliance requirements.
If you run Aruba CX switches and want help confirming exposure or scoping the upgrade, contact Uniqcli and we'll work from your actual version inventory.