-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

HPE Aruba Networking Product Security Advisory 
============================================== 
Advisory ID: HPESBNW04992 
CVE: CVE-2025-37181, CVE-2025-37182, CVE-2025-37183,
     CVE-2025-37184, CVE-2025-37185
Publication Date: 2026-Jan-13 
Last Updated: 2026-Mar-03
Status: Confirmed 
Severity: Critical  
Revision: 3


Title 
===== 
Multiple Vulnerabilities in HPE Aruba Networking EdgeConnect 
SD-WAN Orchestrator  

Overview 
======== 
HPE Aruba Networking has released patches for EdgeConnect SD-WAN  
Orchestrator that addresses multiple security vulnerabilities.  


Affected Products 
================= 
HPE Aruba Networking EdgeConnect SD-WAN Orchestrator 
    - EdgeConnect SD-WAN Orchestrator 9.6.x: 9.6.0  
    - EdgeConnect SD-WAN Orchestrator 9.5.x: 9.5.5 and below  
    - EdgeConnect SD-WAN Orchestrator 9.4.x: 9.4.7 and below  

NOTE:  
    - EdgeConnect SD-WAN Orchestrator 9.3.x was declared End of 
      Maintenance as of June 30, 2025. All builds of this version
      are affected unless otherwise noted.
    - EdgeConnect SD-WAN Orchestrator 9.2.x - all builds of this
      version and older - are affected and are End of Maintenance.

Versions of HPE Aruba Networking EdgeConnect SD-WAN Orchestrator 
that are end of life are affected by these vulnerabilities unless
otherwise indicated.  


Unaffected Products 
================= 
Any other HPE Aruba Networking products not specifically listed 
above are not affected by these vulnerabilities. 

 
Details 
======= 

Unauthenticated Bypass Allows Multi-Factor Authentication 
Circumvention (CVE-2025-37184) 
- - - -----------------------------------------------------------------------  
  A vulnerability exists in an Orchestrator service that could 
  allow an unauthenticated remote attacker to bypass multi-
  factor authentication requirements. Successful exploitation
  could allow an attacker to create an admin user account without
  the necessary multi-factor authentication, thereby compromising
  the integrity of secured access to the system. 

  Internal References: VULN-60 
  Severity: Critical 
  CVSSv3.1 Base Score: 9.8 
  CVSS3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

  Discovery: This vulnerability was discovered and reported by 
  Nicholas Starke of Aruba Threat Labs 

  Note: In addition to the releases listed in the resolution section
  fixes for this specific vulnerability have also been added to:
    - EdgeConnect SD-WAN Orchestrator versions 9.3.6 and above
    - EdgeConnect SD-WAN Orchestrator versions 9.4.3 and above

  Workaround: None 

Authenticated SQL Injection Vulnerabilities in EdgeConnect
SD-WAN Orchestrator Web-Based Management Interface (CVE-2025-37181,
CVE-2025-37182, CVE-2025-37183)
- - - --------------------------------------------------------------------- 
  Vulnerabilities in the web-based management interface of 
  EdgeConnect SD-WAN Orchestrator could allow an authenticated
  remote attacker to perform SQL injection attacks. Successful 
  exploitation could allow an attacker to execute arbitrary SQL 
  commands on the underlying database, potentially leading to 
  unauthorized data access or data manipulation. 

  Internal References: VULN-61, VULN-62, VULN-63, VULN-70 
  Severity: High 
  CVSSv3.1 Base Score: 7.2 
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 

  Discovery: These vulnerabilities were discovered and reported 
  by moonv through HPE Aruba Networking's Bug Bounty program 

  Workaround: To minimize the likelihood of an attacker exploiting
  these vulnerabilities, HPE Aruba Networking recommends that 
  the CLI and web-based management interfaces be restricted to 
  a dedicated layer 2 segment/VLAN and/or controlled by firewall 
  policies at layer 3 and above along with accounting controls 
  for tracking and logging user activities and resource usage. 
  As a best practice, it is recommended to configure IP-allow-
  listing for Orchestrator local users and API keys.  


Authenticated Stored Cross-Site Scripting Vulnerabilities
(XSS) in EdgeConnect SD-WAN Orchestrator Web Administration
Interface (CVE-2025-37185)
- - - --------------------------------------------------------------------- 
  Vulnerabilities in the web-based management interface of 
  EdgeConnect SD-WAN Orchestrator could allow an authenticated 
  remote attacker to conduct a stored cross-site scripting 
  (XSS) attacks against an administrative user of the interface. 
  A successful exploit allows an attacker to execute arbitrary 
  script code in a victim's browser in the context of the 
  affected interface and thereby make unauthorized arbitrary 
  configuration changes to the host. 

  Internal References: ATLSP-135, ATLSP-137, ATLSP-141, ATLSP-142,
                       ATLSP-144, ATLSP-145, ATLSP-146, ATLSP-147,
                       VULN-67, VULN-68, VULN-71, VULN-146 
  Severity: Medium 
  CVSSv3.1 Base Score: 5.5 
  CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N 

  Discovery: This vulnerability was discovered and reported by
  m0x_noob through HPE Aruba Networking's Bug Bounty program 

  Workaround: To minimize the likelihood of an attacker exploiting
  these vulnerabilities, HPE Aruba Networking recommends that 
  the CLI and web-based management interfaces be restricted to 
  a dedicated layer 2 segment/VLAN and/or controlled by firewall 
  policies at layer 3 and above along with accounting controls 
  for tracking and logging user activities and resource usage. 
  As a best practice, it is recommended to configure IP-allow-
  listing for Orchestrator local users and API keys.


Resolution 
========== 
To fully patch the vulnerabilities described above, HPE Aruba Networking 
recommends upgrading your EdgeConnect Orchestrator to one of following 
versions (as applicable):
  - EdgeConnect SD-WAN Orchestrator 9.6.x : 9.6.1 and above
  - EdgeConnect SD-WAN Orchestrator 9.5.x : 9.5.6 and above
  - EdgeConnect SD-WAN Orchestrator 9.4.x : 9.4.8 and above


HPE Aruba Networking does not evaluate or patch software branches
that have reached their End of Maintenance (EoM) milestone.

Supported EdgeConnect SD-WAN Orchestrator software branches as 
of the publication date of this advisory are:
  - EdgeConnect SD-WAN Orchestrator 9.6.x 
  - EdgeConnect SD-WAN Orchestrator 9.5.x 
  - EdgeConnect SD-WAN Orchestrator 9.4.x 

Software versions with resolution/fixes for the vulnerabilities covered   
above, can be downloaded from the HPE Networking Support Portal.   
https://networkingsupport.hpe.com/home/   

HPE Aruba Networking does not evaluate or patch software 
branches that have reached their End of Maintenance (EoM) 
milestone. For more information about Aruba's End of Support
policy please visit: https://www.hpe.com/psnow/doc/a00143052enw


Workaround 
========== 
Vulnerability specific workarounds are listed per vulnerability  
above. You may contact HPE Services - HPE Aruba Networking for  
assistance if needed. For more information, please visit HPE Aruba  
Networking Support Portal at https://networkingsupport.hpe.com/home 


Exploitation and Public Discussion 
================================== 
HPE Aruba Networking is not aware of any public discussion or 
exploit code targeting these specific vulnerabilities as of 
the release date of the advisory. 


Revision History 
================ 
Revision 1 / 2026-Jan-13 / Initial release
Revision 2 / 2026-Feb-10 / Updated Resolution Section to include newly released 9.4.8
Revision 3 / 2026-Mar-03 / Updated CVSS 3.1 Base Score and Vector of CVE-2025-37184

HPE Aruba Networking SIRT Security Procedures  
============================================== 
Complete information on reporting security vulnerabilities in  
HPE Aruba Networking products and obtaining assistance with  
security incidents is available at:  
http://www.hpe.com/support/security-response-policy 
 
For reporting NEW HPE Aruba Networking security issues, email  
can be sent to aruba-sirt@hpe.com. For sensitive information  
we encourage the use of PGP encryption. Our public keys can be  
found at:  
https://www.hpe.com/info/psrt-pgp-key  

(c) Copyright 2026 by Hewlett Packard Enterprise Development LP.  
This advisory may be redistributed freely after the release date  
given at the top of the text, provided that the redistributed  
copies are complete and unmodified, including all data and  
version information 


-----BEGIN PGP SIGNATURE-----

iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmmh740XHHNlY3VyaXR5
LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE64myAv+OIgS1xreg6u5/F3Sd+oB5bOb
ZlyA8B8bkYo+IjaD6IVqGzuaBpV1LoSVjxs9znOrHCuSEociKvEBKcJVftHtqIXR
mOs5qOX/WW9khFzwBCOMqU0mVDnKDCbL1czLmzghqVDVbmD3Avmnu0ezH4ezvc2s
NVcMBWRVFKZUCHJ1llnLoWvXA5JC9oyA8jtu44Gm8mD2VfuIBv8LqQykv3JmaKM7
Miv/sI6Q4Y44BlvwCUWtlUHGF1ZhFMX5ANa9eJxK0OF/SVk6QNE5oTePgIEiRVX2
8z+KKCY6UjdOI/0M+GqosH6OJnUX4CU3ZOnv495mprmVkNXbK1BSiBpkWJxKcbgI
Nb1FcQnPoJARTYYT77bmpNSZaLZYrT0QP2Bl3k20Y4OpW1d7GFXEvqeD/2IVkI9W
8WBnI9gfxnXZw60+XybhhvWtO5ZL1jf3+jgngVAA+bXjMvCGNdGZxy+1pBWFwE3f
Jp5dcLQic1pCd1a8r8rTsJHjYuWfJQZSrHRFmxdZ
=rRoc
-----END PGP SIGNATURE-----