CVE-2025-37184
CRITICAL WAF: Low
CVSS 9.8
Published: 2026-01-14
CWE-287
A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby compromising the integrity of secured access to the system.
WAF Coverage Analysis
Improper Authentication
Low WAF Coverage
OWASP: A07:2021 Identification and Authentication Failures
Affected Software
| Vendor | Product | Version |
|---|---|---|
| arubanetworks | edgeconnect_sd-wan_orchestrator | 9.2.0 - 9.2.10 |
| arubanetworks | edgeconnect_sd-wan_orchestrator | 9.3.0 - 9.3.6 |
| arubanetworks | edgeconnect_sd-wan_orchestrator | 9.4.0 - 9.4.3 |
| arubanetworks | edgeconnect_sd-wan_orchestrator | 9.5.0 - 9.5.6 |
| arubanetworks | edgeconnect_sd-wan_orchestrator | 9.6.0 |
References
- support.hpe.com (Vendor Advisory)