Security Updates: HPE-Aruba Products Attackable via Multiple Vulnerabilities

Attackers can target systems with HPE Aruba Networking AOS-8/AOS-10 or EdgeConnect SD-WAN Orchestrator and, in the worst case, execute malicious code. Security updates are available for download.

Closed Vulnerabilities

As indicated in a warning message, AOS-8 and AOS-10 for Mobility Conductors, Controllers, and Gateways are vulnerable to over twelve security flaws. Half of these are classified with the threat level “high.” For instance, a remote attacker without authentication can delete files, leading to crashes (CVE-2025-37168 “high”).

In several cases (e.g., CVE-2025-37169 “high”), it can lead to the execution of malicious code. The web-based management interface serves as the entry point for this. However, for such an attack to succeed, attackers must be authenticated. Further details on the potential attack scenarios are not currently available. According to HPE Aruba Networking, there are currently no active attacks.

To prevent this, administrators should install the security updates promptly:

• 10.7.2.2
• 10.4.1.10
• 8.13.1.1
• 8.10.0.21

In the warning message, the developers point out that unsupported versions such as 10.6.c.c and 6.5.4.x are also affected by these vulnerabilities. These versions no longer receive security updates. In this situation, an upgrade to a still-supported version is necessary.

Further Dangers

According to a report, EdgeConnect SD-WAN Orchestrator is vulnerable to five security flaws. Here too, malicious code can be introduced to systems within the context of the management interface (e.g., CVE-2025-37181 “high”). In this case, there are currently no indications of active attacks. The affected versions are 9.5.6 and 9.6.1, which have been patched.

(des)