-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Aruba Networking Product Security Advisory ============================================== Advisory ID: HPESBNW04943 CVE: CVE-2025-37123, CVE-2025-37124, CVE-2025-37125, CVE-2025-37126, CVE-2025-37127, CVE-2025-37128, CVE-2025-37129, CVE-2025-37130, CVE-2025-37131. Publication Date: 2025-SEP-16 Last Updated: 2025-SEP-19 Status: Confirmed Severity: High Revision: 2 Title ===== Multiple Vulnerabilities in HPE Aruba Networking EdgeConnect SD-WAN Gateways. Overview ======== HPE Aruba Networking has released patches for the HPE Aruba Networking EdgeConnect SD-WAN Gateways that address multiple security vulnerabilities. Affected Products ================= HPE Aruba Networking EdgeConnect SD-WAN Gateways running (unless otherwise noted) - HPE Aruba Networking EdgeConnect SD-WAN Release Stream 9.5.x.x: 9.5.3.x and below - HPE Aruba Networking EdgeConnect SD-WAN Release Stream 9.4.x.x: 9.4.3.x and below NOTE: ECOS 9.3.x.x was declared out of Maintenance as of June 30, 2025. All builds of this version are affected unless otherwise noted. HPE Aruba Networking EdgeConnect SD-WAN 9.2.x.x: all release streams of this version and older are affected and out of maintenance. HPE Aruba Networking EdgeConnect SD-WAN software versions that are end of maintenance are affected by these vulnerabilities unless otherwise indicated. Unaffected Products =================== Any other HPE Aruba Networking products not specifically listed above are not affected by these vulnerabilities. Details ======= Authenticated Command Injection leads to Unauthorized Actions in CLI Interface (CVE-2025-37123) - --------------------------------------------------------------------- A vulnerability in the command-line interface of HPE Aruba Networking EdgeConnect SD-WAN Gateways could allow an authenticated remote attacker to escalate privileges. Successful exploitation of this vulnerability may enable the attacker to execute arbitrary system commands with root privileges on the underlying operating system. Internal References: ATLSP-121 Severity: High CVSS v3.1 Base Score: 8.8 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by Nicholas Migliore of Visa, INC NOTE: The fix for this specific vulnerability has been added to Software branch 9.5.3.3 and above. Release stream 9.4.x is not impacted. Workaround: See the workaround section below for details. Unauthenticated Access Vulnerability allows Transit Traffic Misrouting in SD-WAN Edge Interface (CVE-2025-37124) - --------------------------------------------------------------------- A vulnerability in the HPE Aruba Networking SD-WAN Gateways could allow an unauthenticated remote attacker to bypass firewall protections. Successful exploitation could allow an attacker to route potentially harmful traffic through the internal network, leading to unauthorized access or disruption of services. Internal References: ATLSP-129 Severity: High CVSS v3.1 Base Score: 8.6 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H Discovery: This vulnerability was discovered by HPE Aruba Networking Internal Engineering NOTE: The fix for this specific vulnerability has been added to Software branches 9.2.11.3, 9.3.8.0, 9.4.3.5, 9.5.3.3 and above. Workaround: None. Broken access control vulnerability in Firewall Configuration Leads to Unauthorized Access to Internal Network Resources (CVE-2025-37125) - --------------------------------------------------------------------- A broken access control vulnerability exists in HPE Aruba Networking EdgeConnect OS (ECOS). Successful exploitation could allow an attacker to bypass firewall protections, potentially leading to unauthorized traffic being handled improperly. Internal References: ATLSP-123 Severity: High CVSS v3.1 Base Score: 7.5 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered by Members First Federal Credit Union NOTE: The fix for this specific vulnerability has been added to Software branches 9.4.3.5, 9.5.3.3 and above. Release stream 9.3.x is not impacted. Workaround: None. Authenticated Remote Code Execution in HPE Aruba Networking EdgeConnect SD-WAN Gateways Command Line Interface (CVE-2025-37126) - --------------------------------------------------------------------- A vulnerability exists in the HPE Aruba Networking EdgeConnect SD-WAN Gateways Command Line Interface that allows remote authenticated users to run arbitrary commands on the underlying host. Successful exploitation of this vulnerability will result in the ability to execute arbitrary commands as root on the underlying operating system. Internal References: ATLSP-115 Severity: High CVSS v3.1 Base Score: 7.2 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered and reported by grouptherapy through HPE Aruba Networking Bug Bounty Program NOTE: The fix for this specific vulnerability has been added to Software branch 9.3.0.0 and above. Workaround: See the workaround section below for details. Authenticated Replay Attack contains Cryptographic Vulnerability (CVE-2025-37127) - --------------------------------------------------------------------- A vulnerability in the cryptographic logic used by HPE Aruba Networking EdgeConnect SD-WAN Gateways could allow an authenticated remote attacker to gain shell access. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system, potentially leading to unauthorized access and control over the affected systems. Internal References: ATLSP-130 Severity: High CVSS v3.1 Base Score: 7.2 CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H Discovery: This vulnerability was discovered by NCC Group Workaround: See the workaround section below for details. Authenticated Arbitrary Process Termination allows potential System Disruption in ECOS (CVE-2025-37128) - --------------------------------------------------------------------- A vulnerability in the web API of HPE Aruba Networking EdgeConnect SD-WAN Gateways could allow an authenticated remote attacker to terminate arbitrary running processes. Successful exploitation could allow an attacker to disrupt system operations, potentially resulting in an unstable system state. Internal References: ATLSP-131 Severity: Medium CVSS v3.1 Base Score: 6.8 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:N/A:H Discovery: This vulnerability was discovered by NCC Group Workaround: See the workaround section below for details. Authenticated Remote Code Execution allows Exploit in Scripts Feature (CVE-2025-37129) - --------------------------------------------------------------------- A vulnerable feature in the command line interface of EdgeConnect SD-WAN could allow an authenticated attacker to exploit built-in script execution capabilities. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system if the feature is enabled without proper security measures. Internal References: ATLSP-134 Severity: Medium CVSS v3.1 Base Score: 6.7 CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Discovery: This vulnerability was discovered by NCC Group Workaround: See the workaround section below for details. Unrestricted Binary allows File Enumeration in Underlying Operating System (CVE-2025-37130) - --------------------------------------------------------------------- A vulnerability in the command-line interface of EdgeConnect SD-WAN could allow an authenticated attacker to read arbitrary files within the system. Successful exploitation could allow an attacker to read sensitive data from the underlying file system. Internal References: ATLSP-132 Severity: Medium CVSS v3.1 Base Score: 6.5 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered by NCC Group Workaround: See the workaround section below for details. Authenticated Arbitrary File Read allows Data Exposure in CLI Interface (CVE-2025-37131) - --------------------------------------------------------------------- A vulnerability in EdgeConnect SD-WAN ECOS could allow an authenticated remote threat actor with admin privileges to access sensitive unauthorized system files. Under certain conditions, this could lead to exposure and exfiltration of sensitive information. Internal References: ATLSP-125 Severity: Medium CVSS v3.1 Base Score: 4.9 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered by NCC Group Workaround: See the workaround section below for details. Resolution ========== HPE Aruba Networking advises customers to upgrade to the following versions to address all vulnerabilities within this advisory, unless otherwise specified in the Details section. These builds and branches will fix all vulnerabilities listed above: - HPE Aruba Networking EdgeConnect SD-WAN 9.5.4.1 and above - HPE Aruba Networking EdgeConnect SD-WAN 9.4.4.2 and above The HPE Aruba Networking EdgeConnect SD-WAN Orchestrator software version must be greater than or equal to the ECOS software version running on any HPE Aruba EdgeConnect SD-WAN Gateways. HPE Aruba Networking does not evaluate or patch software versions that have reached their End of Maintenance (EoM) milestone. For more details on HPE Aruba Networking End-of-Support policy, please visit: https://www.arubanetworks.com/support-services/end-of-life/ Workaround ========== To minimize the likelihood of an attacker exploiting these vulnerabilities — except for CVE-2025-37124 and CVE-2025-37125 — HPE Aruba Networking recommends that CLI and web-based management interfaces be restricted to a dedicated Layer 2 segment/VLAN and/or controlled by firewall policies at Layer 3 and above. As a best practice, it is also recommended to configure IP allow-listing for Orchestrator local users and API keys. In EdgeConnect SD-WAN deployments, it is recommended that RADIUS or TACACS is used for user authentication, and management plane traffic is routed through secure SD-WAN tunnels whenever feasible, to maintain secure and reliable communication. Exploitation and Public Discussion ================================== HPE Aruba Networking is not aware of any public discussion or exploit code that targets the vulnerabilities listed as of the release date of this advisory. Revision History ================ Revision 1 / 2025-SEP-16 / Initial release Revision 2 / 2025-SEP-19 / Added individual workarounds in each vulnerability detail block, as the general workaround does not apply to CVE-2025-37124 and CVE-2025-37125. HPE Aruba Networking SIRT Security Procedures ============================== Complete information on reporting security vulnerabilities in HPE Aruba Networking products and obtaining assistance with security incidents is available at: https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00100637en_us For reporting *NEW* HPE Aruba Networking security issues, email can be sent to aruba-sirt(at)hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2025 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information. -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmjNsgkXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE64ZjQwAnyBWaQ2OrDCk5bgXrnFo6z+L vc2EkQAj5KIs79nz4OMfmw8Ocy8veEy+D7CMzIOhsNJuTGvKIG8tChq1GtCkcDo1 VfQd9MeENvpXLbrG9nr9bV027FLxL/a6Nbh9TY7AzsrJwnOaCqBVzXnWAPzYufTL OIMQWtS3YLlWDzPHd3m5Zi04QuFN9aA0JZcqCCALsfyU0+30/Po3WW05DEZCvnG5 Oi2U6+Z2oD26cMKv9ZuPvtH7Z2Ucpq856QpjHdBvKu3b2nHBH+C58RALSeye37dp yrpqlcJeDRZDzFkFr787E0JWd+ToXubyo483US3LgVkJ24HSDFUNZkshrY6+xv31 pjnhKADCe/oPrcDd0q8okqrcpvZyxoJJSpdI8dScEd7eLAWaxyQQdjfLTo+HjlQi I5xEi3/yfPdwszzxP1FIE0RThw0q4ts3/VPvwkRtF/WOl917mG257e1rAvucimIk x0WDILvwmw8rIYFu+IaOjrLOuqehy96UtXtiPOuZ =uZRr -----END PGP SIGNATURE-----