CVE-2025-37158
Published: 18 November 2025
Description
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
Security Summary
CVE-2025-37158 is a command injection vulnerability (CWE-78) affecting the AOS-CX Operating System. Published on 2025-11-18T19:15:47.700, it carries a CVSS v3.1 base score of 6.7 (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N). Successful exploitation enables an authenticated remote attacker to achieve remote code execution (RCE) on the impacted system.
An authenticated remote attacker can exploit this vulnerability to inject and execute arbitrary commands. Despite the CVSS vector indicating local access (AV:L), high attack complexity (AC:H), and no privileges required (PR:N), the description specifies remote exploitation by an authenticated user, resulting in high impacts to confidentiality and integrity but no availability disruption.
Mitigation details are available in the HPE security advisory at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04888en_us&docLocale=en_US.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection vulnerability enables exploitation of remote services (T1210) and arbitrary command execution via network device CLI (T1059.008).