HPE Releases Emergency Patches for Five AOS-CX Vulnerabilities
Hewlett Packard Enterprise published an emergency security bulletin on March 10, 2026, addressing five vulnerabilities in the Aruba Networking AOS-CX operating system, two of which enable remote code execution on affected network switches. The flaws affect Aruba CX switches deployed in enterprise and service provider network infrastructure worldwide and require immediate patching.
HPE Aruba Networking has not reported any active exploitation of these vulnerabilities at the time of disclosure. However, the combination of RCE, privilege escalation, and session hijacking flaws on critical network equipment represents a serious risk for organizations that delay applying the available updates.
Two Command Injection Flaws Enable Remote Code Execution (CVE-2025-37157, CVE-2025-37158)
The most severe vulnerabilities are CVE-2025-37157 and CVE-2025-37158, two command injection flaws present in the AOS-CX operating system. According to HPE Aruba Networking bulletin HPESBNW04888, both CVEs allow an authenticated remote attacker to execute arbitrary commands on the underlying system, achieving full compromise of the affected switch. Both vulnerabilities have been remediated in the latest AOS-CX releases.
While exploitation requires prior authentication, environments where multiple administrator accounts exist or where management interfaces are exposed to insufficiently segmented networks carry a real exploitation risk. HPE recommends restricting CLI and web management interface access to a dedicated Layer 2 segment or controlling it through firewall policies.
SSH Restricted Shell Privilege Escalation (CVE-2025-37155)
CVE-2025-37155 is an access control vulnerability in the SSH restricted shell interface of AOS-CX network management services. It allows an authenticated read-only user to access functions that should be restricted to administrators, opening a path to privilege escalation on the device. This vulnerability was discovered and reported by researchers from the Italian National Cybersecurity Agency (ACN), according to HPE disclosure notes.
Web Session Hijacking on Active Admin Sessions (CVE-2025-37159)
CVE-2025-37159 affects the AOS-CX web management interface. The flaw allows an authenticated remote attacker to hijack an active user session through the OS user authentication service. Successful exploitation enables the attacker to maintain unauthorized access to the session, read or modify sensitive configuration data, and establish persistent access on the device without alerting legitimate administrators.
Port ACL Bypass on CX 9300 Series Switches (CVE-2025-25040)
CVE-2025-25040 is an improper authorization vulnerability specific to the HPE Aruba Networking CX 9300 Switch Series, affecting AOS-CX versions 10.14.xxxx (all patches) and 10.15.xxxx up to 10.15.1000. The flaw allows an attacker to bypass ACL rules applied to routed ports on egress, resulting in unauthorized traffic flows and potential violations of network security policies. Egress VLAN ACLs and Routed VLAN ACLs are not affected by this vulnerability.
Affected Products and Versions
The vulnerabilities affect Aruba Networking switches running AOS-CX across multiple CX product lines, including the CX 8xxx, CX 9300, and CX 10000 series. HPE has published patched versions through its standard software distribution channels. Network administrators must verify the AOS-CX version installed on each switch and apply the corresponding update detailed in security bulletin HPESBNW04888.
Immediate Mitigations Recommended by HPE
HPE Aruba Networking recommends the following measures while applying or in addition to patches:
- Restrict CLI and web management interfaces to a dedicated Layer 2 segment or control them through Layer 3 firewall policies.
- Enable logging and accounting controls to track and record user activity and resource usage on affected switches.
- Monitor for any anomalous administrative activity on affected devices.
- Verify that read-only user accounts do not have extended access through SSH.
- Apply available patches immediately through the HPE support portal using bulletin HPESBNW04888 as reference.
HPE is not aware of any active exploitation of these vulnerabilities at the time of publication. However, given the critical role that Aruba CX switches play in enterprise and service provider network infrastructure, any delay in patching exposes organizations to serious risk of network compromise.
