"Aruba AOS-CX CVE-2025-37157 & CVE-2025-37158: Command Injection RCE on CX 8xxx/9300/10000 Switches"

HPE Aruba Networking has disclosed two command-injection vulnerabilities in the AOS-CX operating system, tracked as CVE-2025-37157 and CVE-2025-37158. Both allow an authenticated remote attacker to execute arbitrary commands on the underlying switch, which can lead to full device compromise. They were published together with three other AOS-CX issues in HPE security bulletin HPESBNW04888.
If you operate Aruba CX switches in a data center, campus core, or any segment that carries sensitive traffic, this advisory is worth acting on. Below is a calm, factual rundown of what is confirmed, what is not, and how to reduce your exposure.
What happened
HPE Aruba Networking identified two separate OS command-injection flaws in AOS-CX, the network operating system that runs on the Aruba CX switch family. In both cases, input that should be treated as data is instead passed to the underlying operating system in a way that lets an attacker inject and run their own commands.
The vulnerability class is CWE-78 (Improper Neutralization of Special Elements used in an OS Command); CVE-2025-37157 is additionally categorized under CWE-94 (Code Injection). The practical result for both is the same: an authenticated user can escalate from issuing legitimate commands to running arbitrary commands on the switch, achieving remote code execution (RCE).
These two CVEs were disclosed alongside three additional AOS-CX issues in the same bulletin (CVE-2025-37155, CVE-2025-37159, and CVE-2025-25040), which cover privilege escalation, web session hijacking, and a port ACL bypass respectively. This post focuses on the two command-injection RCE flaws named in the bulletin.
Affected products and versions
The vulnerabilities affect Aruba Networking switches running AOS-CX, including the CX 8xxx, CX 9300, and CX 10000 series. Per the National Vulnerability Database, the following AOS-CX branches and version ranges are affected for both CVE-2025-37157 and CVE-2025-37158:
| Product (AOS-CX branch) | Affected | Fixed |
|---|---|---|
| AOS-CX 10.10.x | 10.10.0000 through 10.10.1160 | Next patch release on the 10.10 branch (per HPESBNW04888) |
| AOS-CX 10.13.x | 10.13.0000 through 10.13.1090 | Next patch release on the 10.13 branch (per HPESBNW04888) |
| AOS-CX 10.14.x | 10.14.0000 through 10.14.1050 | Next patch release on the 10.14 branch (per HPESBNW04888) |
| AOS-CX 10.15.x | 10.15.0000 through 10.15.1020 | Next patch release on the 10.15 branch (per HPESBNW04888) |
| AOS-CX 10.16.x | 10.16.0000 through 10.16.1000 | Next patch release on the 10.16 branch (per HPESBNW04888) |
A note on accuracy: the affected ceilings above are confirmed by NVD. HPE publishes the exact fixed build number for each branch in bulletin HPESBNW04888, and that bulletin is the authoritative source for the precise target version to deploy. Always confirm the fixed build against the bulletin for your specific switch model before upgrading, rather than assuming a version number.
How serious is it
There are two published CVSS v3.1 assessments, and they differ in how they score the attack vector:
- HPE (the CNA): 6.7 (Medium) for both CVEs, with vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N. HPE scores this as a local-vector, high-complexity issue. - NVD/NIST: 8.8 (High) for both CVEs, with vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. NVD treats it as network-reachable with low complexity.
The gap matters operationally. NVD's network-vector, low-complexity scoring reflects the realistic case where a switch management interface is reachable on the network and an attacker holds (or obtains) a low-privilege account. In that scenario the risk is materially higher than the "Medium" rating alone would suggest.
Both flaws require authentication, so this is not an unauthenticated, internet-wide drive-by. But authentication requirements are weaker in practice when management planes are flat, when multiple admin or operator accounts exist, or when credentials can be phished or reused.
On exploitation status: at the time of publication, HPE stated it was not aware of any active exploitation or public exploit code for these specific vulnerabilities, and we did not find CVE-2025-37157 or CVE-2025-37158 listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. That can change; the absence of a KEV entry today is not a reason to defer patching network infrastructure.
Am I exposed?
Work through these questions:
- Do you run Aruba CX switches? Check models such as CX 8xxx, CX 9300, and CX 10000, and any other CX hardware running AOS-CX.
- What AOS-CX version is installed? On each switch, run
show versionand compare against the affected ranges above. If the running version falls within a listed range, treat it as affected. - Who can reach the management plane? Identify every interface (CLI/SSH and the web UI) where AOS-CX management is reachable, and from which networks.
- How many accounts can authenticate? Inventory local and remote (TACACS+/RADIUS) accounts that can log into the switch, including service and operator accounts.
If you run CX hardware on an affected version and the management interfaces are reachable from general user or server VLANs, you should consider yourself exposed and prioritize remediation.
How to fix it
- Patch to a fixed AOS-CX release. Upgrade each affected switch to the fixed build for its branch as documented in HPESBNW04888. Confirm the exact target build number in the bulletin for your model, then validate with
show versionafter upgrade. - Restrict management access (interim mitigation). Until you can patch, limit CLI and web management interface access to a dedicated, trusted management network. HPE's guidance is to confine management to a separate Layer 2 segment and/or enforce access with firewall/ACL policy so that only authorized administrators can reach the management plane.
- Tighten account hygiene. Remove unused accounts, enforce least privilege, rotate credentials, and prefer centralized authentication with strong controls. Because both flaws require authentication, reducing the population of accounts that can log in directly reduces the attack surface.
- Monitor. Watch management-interface logins and command activity for anomalies during and after remediation.
Segmentation is a mitigation, not a substitute for patching. Apply the fixed firmware as soon as your change process allows.
How Uniqcli helps
Uniqcli is an authorized HPE, HPE Aruba Networking, and HPE Juniper Networking reseller serving US federal, SLED, healthcare, and enterprise customers. For this advisory we can:
- Assess exposure across your Aruba CX fleet, mapping models and AOS-CX versions against the affected ranges and identifying management-plane reachability.
- Source patched or replacement hardware where switches are end-of-support or cannot run a fixed AOS-CX release, and help plan a clean upgrade path.
- Support the upgrade, from validating the correct fixed build per model to staging firmware and segmentation changes with minimal disruption.
Procurement is available through TAA-compliant, GSA, and SEWP vehicles, so federal and SLED teams can remediate without contracting friction. Reach out and we will help you scope exposure and get to a fixed, segmented state quickly.