How to fix CVE-2025-25040?

During next maintenance window: Apply vendor patches when convenient. Monitor vendor channels for updates.

Is Aruba affected by CVE-2025-25040?

CVE-2025-25040 is a low-severity vulnerability in A vulnerability (CVSS 3.3). The limited severity suggests constrained impact, typically requiring specific conditions or local access for exploitation. Apply vendor updates when available as part of routine maintenance.

CVE-2025-25040

LOW

2025-03-18 [email protected]

3.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:32 vuln.today

CVE Published

Mar 18, 2025 - 19:15 nvd

LOW 3.3

Description

A vulnerability has been identified in the port ACL functionality of AOS-CX software running on the HPE Aruba Networking CX 9300 Switch Series only and affects: - AOS-CX 10.14.xxxx : All patches - AOS-CX 10.15.xxxx : 10.15.1000 and below The vulnerability is specific to traffic originated by the CX 9300 switch platform and could allow an attacker to bypass ACL rules applied to routed ports on egress. As a result, port ACLs are not correctly enforced, which could lead to unauthorized traffic flow and violations of security policies. Egress VLAN ACLs and Routed VLAN ACLs are not affected by this vulnerability.

Analysis

Technical Context

This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. A vulnerability has been identified in the port ACL functionality of AOS-CX software running on the HPE Aruba Networking CX 9300 Switch Series only and affects: - AOS-CX 10.14.xxxx : All patches - AOS-CX 10.15.xxxx : 10.15.1000 and below The vulnerability is specific to traffic originated by the CX 9300 switch platform and could allow an attacker to bypass ACL rules applied to routed ports on egress. As a result, port ACLs are not correctly enforced, which could lead to unauthorized traffic flow and violations of security policies. Egress VLAN ACLs and Routed VLAN ACLs are not affected by this vulnerability.

Affected Products

See vendor advisory for affected versions.

Remediation

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +16

POC: 0

CVE-2025-25040 vulnerability details – vuln.today

Back

CVE-2025-25040

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-25040

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code