CVE-2025-37157
Published: 18 November 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2025-37157 is a command injection vulnerability in the AOS-CX Operating System. Successful exploitation could allow an authenticated remote attacker to conduct remote code execution (RCE) on the affected system. The vulnerability is linked to CWE-94 (Improper Control of Generation of Code) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command), with a CVSS v3.1 base score of 6.7 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). It was published on 2025-11-18.
An authenticated remote attacker can exploit this vulnerability to achieve RCE. The CVSS vector indicates local attack vector with high attack complexity, no privileges required, no user interaction, unchanged scope, high impact to confidentiality and integrity, and no impact to availability.
Mitigation details are available in the HPE security bulletin at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection vulnerability in AOS-CX (network device OS) enables remote code execution via Network Device CLI (T1059.008) and constitutes exploitation of a remote service (T1210).