CVE-2025-37184

Published: Jan 14, 2026Modified: Mar 3, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby compromising the integrity of secured access to the system.

Affected (5)

Products: Arubanetworks: Edgeconnect Sd Wan Orchestrator

Arubanetworks

1 product

Edgeconnect Sd Wan Orchestrator

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Arubanetworks Edgeconnect Sd Wan Orchestrator	From 9.2.0 to 9.2.10
Arubanetworks Edgeconnect Sd Wan Orchestrator	From 9.3.0 to 9.3.6
Arubanetworks Edgeconnect Sd Wan Orchestrator	From 9.4.0 to 9.4.3
Arubanetworks Edgeconnect Sd Wan Orchestrator	From 9.5.0 to 9.5.6
Arubanetworks Edgeconnect Sd Wan Orchestrator	Version 9.6.0

Related CWEs

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (1)

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US

Source: security-alert@hpe.com

Vendor Advisory

Timeline

No history available yet.