{ "document": { "aggregate_severity": { "namespace": "https://www.first.org/cvss/v3.1/specification-document#Qualitative-Severity-Rating-Scale", "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en-US", "notes": [ { "category": "summary", "text": "HPE Aruba Networking has released patches for EdgeConnect SD-WAN Orchestrator to address multiple security vulnerabilities.", "title": "Summary" }, { "category": "general", "text": "HPE Aruba Networking EdgeConnect SD-WAN Orchestrator:\n - 9.6.x: 9.6.0 and below\n - 9.5.x: 9.5.5 and below\n - 9.4.x: 9.4.4 and below\n\nNOTE:\n - EdgeConnect SD-WAN Orchestrator 9.3.x reached End of Maintenance as of June 30, 2025. All builds are affected unless noted.\n - EdgeConnect SD-WAN Orchestrator 9.2.x and older are End of Maintenance and all builds are affected.", "title": "Affected Products" }, { "category": "general", "text": "Any other HPE Aruba Networking products not listed are not affected.", "title": "Unaffected Products" }, { "category": "other", "text": "As of the release date of this advisory, HPE Aruba Networking is not aware of any public discussion or exploit code targeting these vulnerabilities.", "title": "Exploitation and Public Discussion" }, { "category": "general", "text": "Complete information on reporting security vulnerabilities in HPE Aruba Networking products is available at: https://www.hpe.com/support/security-response-policy\n\nFor reporting *NEW* issues: aruba-sirt@hpe.com. For sensitive data, use PGP encryption: https://www.hpe.com/info/psrt-pgp-key", "title": "HPE Aruba Networking SIRT Security Procedures" }, { "category": "legal_disclaimer", "text": "(c) Copyright 2026 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information.", "title": "Legal Disclaimer" } ], "publisher": { "category": "vendor", "contact_details": "Email: aruba-product-sirt@hpe.com - For further details please see https://www.hpe.com/support/security-response-policy", "issuing_authority": "HPE Aruba Networking’s Security Incident Response Team (SIRT) is responsible for receiving, tracking, managing, and disclosing vulnerabilities in HPE Aruba Networking products. \nThe HPE Aruba Networking SIRT actively works with industry, non-profit and government organizations, and the security community when vulnerabilities are reported. \nA security vulnerability is defined as any weakness in a product that allows an attacker to compromise the confidentiality, integrity, or availability of a product, customer infrastructure, or IT system through an HPE Aruba Networking product in that environment.", "name": "HPE Aruba Networking", "namespace": "https://www.hpe.com/support/security-response-policy" }, "references": [ { "summary": "Original Advisory", "url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US" }, { "summary": "HPE Aruba Networking Security Advisory Archive", "url": "https://csaf.arubanetworking.hpe.com/" }, { "summary": "HPE Aruba Networking Product Security Incident Response Policy", "url": "https://www.hpe.com/support/security-response-policy" } ], "title": "Multiple Vulnerabilities in HPE Aruba Networking EdgeConnect SD-WAN Orchestrator", "tracking": { "current_release_date": "2026-03-03T18:00:00.000Z", "generator": { "date": "2026-02-27T17:41:01.837Z", "engine": { "name": "Secvisogram", "version": "2.5.44" } }, "id": "HPESBNW04992", "initial_release_date": "2026-01-13T16:00:00.000Z", "revision_history": [ { "date": "2026-01-13T16:00:00.000Z", "number": "1", "summary": "Initial release" }, { "date": "2026-02-10T18:00:00.000Z", "number": "2", "summary": "Updated Resolution Section to include newly released 9.4.8" }, { "date": "2026-03-03T18:00:00.000Z", "number": "3", "summary": "Updated CVSS 3.1 Base Score and Vector of CVE-2025-37184." } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version", "name": "9.6.1", "product": { "name": "EdgeConnect SD-WAN Orchestrator", "product_id": "9.6.1" } }, { "category": "product_version_range", "name": "vers:semver/>=9.6.0|<=9.6.0", "product": { "name": "EdgeConnect SD-WAN Orchestrator", "product_id": ">=9.6.0|<=9.6.0" } }, { "category": "product_version", "name": "9.5.6", "product": { "name": "EdgeConnect SD-WAN Orchestrator", "product_id": "9.5.6" } }, { "category": "product_version_range", "name": "vers:semver/>=9.5.0|<=9.5.5", "product": { "name": "EdgeConnect SD-WAN Orchestrator", "product_id": ">=9.5.0|<=9.5.5" } }, { "category": "product_version_range", "name": "vers:semver/>=9.4.0|<=9.4.4", "product": { "name": "EdgeConnect SD-WAN Orchestrator", "product_id": ">=9.4.0|<=9.4.4" } } ], "category": "product_name", "name": "EdgeConnect SD-WAN Orchestrator" } ], "category": "vendor", "name": "HPE Aruba Networking" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Nicholas Starke" ], "organization": "Aruba Threat Labs ", "summary": "This vulnerability was discovered and reported by Nicholas Starke of Aruba Threat Labs" } ], "cve": "CVE-2025-37184", "notes": [ { "category": "details", "text": "A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby compromising the integrity of secured access to the system.", "title": "Details" }, { "category": "other", "text": "VULN-60", "title": "Internal References" } ], "product_status": { "fixed": [ "9.6.1", "9.5.6" ], "known_affected": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ] }, "remediations": [ { "category": "vendor_fix", "date": "2026-02-10T18:00:00.000Z", "details": "To fully patch the vulnerabilities described above, HPE Aruba Networking \nrecommends upgrading your EdgeConnect Orchestrator to one of following \nversions (as applicable):\n - EdgeConnect SD-WAN Orchestrator 9.6.x : 9.6.1 and above\n - EdgeConnect SD-WAN Orchestrator 9.5.x : 9.5.6 and above\n - EdgeConnect SD-WAN Orchestrator 9.4.x : 9.4.8 and above\n\nHPE Aruba Networking does not evaluate or patch software branches\nthat have reached their End of Maintenance (EoM) milestone.\n\nSupported EdgeConnect SD-WAN Orchestrator software branches as \nof the publication date of this advisory are:\n - EdgeConnect SD-WAN Orchestrator 9.6.x \n - EdgeConnect SD-WAN Orchestrator 9.5.x \n - EdgeConnect SD-WAN Orchestrator 9.4.x \n\nSoftware versions with resolution/fixes for the vulnerabilities covered \nabove, can be downloaded from the HPE Networking Support Portal. \nhttps://networkingsupport.hpe.com/home/ \n\nHPE Aruba Networking does not evaluate or patch software \nbranches that have reached their End of Maintenance (EoM) \nmilestone. For more information about Aruba's End of Support\npolicy please visit: https://www.hpe.com/psnow/doc/a00143052enw", "product_ids": [ "9.6.1", "9.5.6" ], "url": "https://myenterpriselicense.hpe.com/" }, { "category": "workaround", "date": "2026-01-13T17:00:00.000Z", "details": "None", "product_ids": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ], "url": "https://myenterpriselicense.hpe.com/" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "environmentalScore": 9.8, "environmentalSeverity": "CRITICAL", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "temporalScore": 9.8, "temporalSeverity": "CRITICAL", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ] } ], "title": "Unauthenticated Bypass Allows Multi-Factor Authentication Circumvention" }, { "acknowledgments": [ { "names": [ "moonv" ], "organization": "Bugcrowd", "summary": "HPE Aruba Networking's Bug Bounty program \n" } ], "cve": "CVE-2025-37181", "notes": [ { "category": "details", "text": "Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. \n", "title": "Details" }, { "category": "other", "text": " VULN-61", "title": "Internal References" } ], "product_status": { "fixed": [ "9.5.6", "9.6.1" ], "known_affected": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ] }, "remediations": [ { "category": "vendor_fix", "date": "2026-02-10T18:00:00.000Z", "details": "To fully patch the vulnerabilities described above, HPE Aruba Networking \nrecommends upgrading your EdgeConnect Orchestrator to one of following \nversions (as applicable):\n - EdgeConnect SD-WAN Orchestrator 9.6.x : 9.6.1 and above\n - EdgeConnect SD-WAN Orchestrator 9.5.x : 9.5.6 and above\n - EdgeConnect SD-WAN Orchestrator 9.4.x : 9.4.8 and above\n\nHPE Aruba Networking does not evaluate or patch software branches\nthat have reached their End of Maintenance (EoM) milestone.\n\nSupported EdgeConnect SD-WAN Orchestrator software branches as \nof the publication date of this advisory are:\n - EdgeConnect SD-WAN Orchestrator 9.6.x \n - EdgeConnect SD-WAN Orchestrator 9.5.x \n - EdgeConnect SD-WAN Orchestrator 9.4.x \n\nSoftware versions with resolution/fixes for the vulnerabilities covered \nabove, can be downloaded from the HPE Networking Support Portal. \nhttps://networkingsupport.hpe.com/home/ \n\nHPE Aruba Networking does not evaluate or patch software \nbranches that have reached their End of Maintenance (EoM) \nmilestone. For more information about Aruba's End of Support\npolicy please visit: https://www.hpe.com/psnow/doc/a00143052enw", "product_ids": [ "9.6.1", "9.5.6" ], "url": "https://myenterpriselicense.hpe.com/" }, { "category": "workaround", "date": "2026-01-13T18:00:00.000Z", "details": "To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above along with accounting controls for tracking and logging user activities and resource usage. ", "product_ids": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ], "url": "https://myenterpriselicense.hpe.com/" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "environmentalScore": 7.2, "environmentalSeverity": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 7.2, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ] } ], "title": "Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface " }, { "acknowledgments": [ { "names": [ "moonv" ], "organization": "Bugcrowd", "summary": "HPE Aruba Networking's Bug Bounty program \n" } ], "cve": "CVE-2025-37182", "notes": [ { "category": "details", "text": "Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. \n", "title": "Details" }, { "category": "other", "text": " VULN-62, VULN-63", "title": "Internal References" } ], "product_status": { "fixed": [ "9.5.6", "9.6.1" ], "known_affected": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ] }, "remediations": [ { "category": "vendor_fix", "date": "2026-02-10T18:00:00.000Z", "details": "To fully patch the vulnerabilities described above, HPE Aruba Networking \nrecommends upgrading your EdgeConnect Orchestrator to one of following \nversions (as applicable):\n - EdgeConnect SD-WAN Orchestrator 9.6.x : 9.6.1 and above\n - EdgeConnect SD-WAN Orchestrator 9.5.x : 9.5.6 and above\n - EdgeConnect SD-WAN Orchestrator 9.4.x : 9.4.8 and above\n\nHPE Aruba Networking does not evaluate or patch software branches\nthat have reached their End of Maintenance (EoM) milestone.\n\nSupported EdgeConnect SD-WAN Orchestrator software branches as \nof the publication date of this advisory are:\n - EdgeConnect SD-WAN Orchestrator 9.6.x \n - EdgeConnect SD-WAN Orchestrator 9.5.x \n - EdgeConnect SD-WAN Orchestrator 9.4.x \n\nSoftware versions with resolution/fixes for the vulnerabilities covered \nabove, can be downloaded from the HPE Networking Support Portal. \nhttps://networkingsupport.hpe.com/home/ \n\nHPE Aruba Networking does not evaluate or patch software \nbranches that have reached their End of Maintenance (EoM) \nmilestone. For more information about Aruba's End of Support\npolicy please visit: https://www.hpe.com/psnow/doc/a00143052enw", "product_ids": [ "9.6.1", "9.5.6" ], "url": "https://myenterpriselicense.hpe.com/" }, { "category": "workaround", "date": "2026-01-13T18:00:00.000Z", "details": "To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above along with accounting controls for tracking and logging user activities and resource usage. ", "product_ids": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ], "url": "https://myenterpriselicense.hpe.com/" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "environmentalScore": 7.2, "environmentalSeverity": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 7.2, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ] } ], "title": "Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface " }, { "acknowledgments": [ { "names": [ "moonv" ], "organization": "Bugcrowd", "summary": "HPE Aruba Networking's Bug Bounty program \n" } ], "cve": "CVE-2025-37183", "notes": [ { "category": "details", "text": "Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation. \n", "title": "Details" }, { "category": "other", "text": " VULN-62, VULN-63", "title": "Internal References" } ], "product_status": { "fixed": [ "9.5.6", "9.6.1" ], "known_affected": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ] }, "remediations": [ { "category": "vendor_fix", "date": "2026-02-10T18:00:00.000Z", "details": "To fully patch the vulnerabilities described above, HPE Aruba Networking \nrecommends upgrading your EdgeConnect Orchestrator to one of following \nversions (as applicable):\n - EdgeConnect SD-WAN Orchestrator 9.6.x : 9.6.1 and above\n - EdgeConnect SD-WAN Orchestrator 9.5.x : 9.5.6 and above\n - EdgeConnect SD-WAN Orchestrator 9.4.x : 9.4.8 and above\n\nHPE Aruba Networking does not evaluate or patch software branches\nthat have reached their End of Maintenance (EoM) milestone.\n\nSupported EdgeConnect SD-WAN Orchestrator software branches as \nof the publication date of this advisory are:\n - EdgeConnect SD-WAN Orchestrator 9.6.x \n - EdgeConnect SD-WAN Orchestrator 9.5.x \n - EdgeConnect SD-WAN Orchestrator 9.4.x \n\nSoftware versions with resolution/fixes for the vulnerabilities covered \nabove, can be downloaded from the HPE Networking Support Portal. \nhttps://networkingsupport.hpe.com/home/ \n\nHPE Aruba Networking does not evaluate or patch software \nbranches that have reached their End of Maintenance (EoM) \nmilestone. For more information about Aruba's End of Support\npolicy please visit: https://www.hpe.com/psnow/doc/a00143052enw", "product_ids": [ "9.6.1", "9.5.6" ], "url": "https://myenterpriselicense.hpe.com/" }, { "category": "workaround", "date": "2026-01-13T18:00:00.000Z", "details": "To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above along with accounting controls for tracking and logging user activities and resource usage. ", "product_ids": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ], "url": "https://myenterpriselicense.hpe.com/" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "environmentalScore": 7.2, "environmentalSeverity": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "temporalScore": 7.2, "temporalSeverity": "HIGH", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ] } ], "title": "Authenticated SQL Injection in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface " }, { "acknowledgments": [ { "names": [ "m0x_noob" ], "organization": "Bugcrowd", "summary": "This vulnerability was discovered and reported by m0x_noob through HPE Aruba Networking's Bug Bounty program" } ], "cve": "CVE-2025-37185", "notes": [ { "category": "details", "text": "Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting (XSS) attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary script code in a victim's browser in the context of the affected interface and thereby make unauthorized arbitrary configuration changes to the host. ", "title": "Details" }, { "category": "other", "text": "ATLSP-135, ATLSP-137, ATLSP-141, ATLSP-142, ATLSP-144, ATLSP-145, ATLSP-146, ATLSP-147, VULN-67, VULN-68, VULN-71, VULN-146 ", "title": "Internal References" } ], "product_status": { "fixed": [ "9.6.1", "9.5.6" ], "known_affected": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ] }, "remediations": [ { "category": "vendor_fix", "date": "2026-02-10T18:00:00.000Z", "details": "To fully patch the vulnerabilities described above, HPE Aruba Networking \nrecommends upgrading your EdgeConnect Orchestrator to one of following \nversions (as applicable):\n - EdgeConnect SD-WAN Orchestrator 9.6.x : 9.6.1 and above\n - EdgeConnect SD-WAN Orchestrator 9.5.x : 9.5.6 and above\n - EdgeConnect SD-WAN Orchestrator 9.4.x : 9.4.8 and above\n\nHPE Aruba Networking does not evaluate or patch software branches\nthat have reached their End of Maintenance (EoM) milestone.\n\nSupported EdgeConnect SD-WAN Orchestrator software branches as \nof the publication date of this advisory are:\n - EdgeConnect SD-WAN Orchestrator 9.6.x \n - EdgeConnect SD-WAN Orchestrator 9.5.x \n - EdgeConnect SD-WAN Orchestrator 9.4.x \n\nSoftware versions with resolution/fixes for the vulnerabilities covered \nabove, can be downloaded from the HPE Networking Support Portal. \nhttps://networkingsupport.hpe.com/home/ \n\nHPE Aruba Networking does not evaluate or patch software \nbranches that have reached their End of Maintenance (EoM) \nmilestone. For more information about Aruba's End of Support\npolicy please visit: https://www.hpe.com/psnow/doc/a00143052enw", "product_ids": [ "9.6.1", "9.5.6" ], "url": "https://myenterpriselicense.hpe.com/" }, { "category": "workaround", "date": "2026-01-13T17:00:00.000Z", "details": "To minimize the likelihood of an attacker exploiting these vulnerabilities, HPE Aruba Networking recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above along with accounting†controls for tracking and logging user activities and resource usage. As a best practice, it is recommended to configure IP-allow-listing for Orchestrator local users and API keys.", "product_ids": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ], "url": "https://myenterpriselicense.hpe.com/" } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "environmentalScore": 5.5, "environmentalSeverity": "MEDIUM", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "temporalScore": 5.5, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ ">=9.6.0|<=9.6.0", ">=9.5.0|<=9.5.5", ">=9.4.0|<=9.4.4" ] } ], "title": "Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) in EdgeConnect SD-WAN Orchestrator Web Administration Interface" } ] }