CVE-2025-37123 Overview
CVE-2025-37123 is a privilege escalation vulnerability in the command-line interface (CLI) of HPE Aruba Networking EdgeConnect SD-WAN Gateways. An authenticated remote attacker can abuse the flaw to execute arbitrary system commands with root privileges on the underlying operating system. The weakness is categorized under [CWE-269] Improper Privilege Management.
The vulnerability requires only low-privilege authenticated access over the network, making lateral movement and full gateway compromise viable from any account with CLI access. Successful exploitation provides complete control over the SD-WAN gateway, threatening confidentiality, integrity, and availability of routed traffic.
Critical Impact
An authenticated attacker can escalate to root on the SD-WAN gateway and execute arbitrary OS commands, fully compromising the device and the traffic it forwards.
Affected Products
- HPE Aruba Networking EdgeConnect SD-WAN Gateways (CLI component)
- Refer to the HPE Support Document for affected firmware versions
- Deployments exposing CLI access to authenticated users
Discovery Timeline
- 2025-09-16 - CVE-2025-37123 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-37123
Vulnerability Analysis
The flaw resides in the CLI of HPE Aruba Networking EdgeConnect SD-WAN Gateways. The CLI fails to properly enforce privilege boundaries when handling certain commands, allowing a lower-privileged authenticated user to invoke functionality reserved for administrative or root contexts. Once invoked, the attacker can run arbitrary system commands at the OS level.
Because SD-WAN gateways sit at the edge of corporate networks and terminate site-to-site tunnels, gaining root on these devices gives attackers a foothold to inspect, redirect, or modify traffic between branches and data centers. The issue maps to [CWE-269] Improper Privilege Management, indicating that authorization checks around command execution do not align with the privileges those commands ultimately wield.
Root Cause
The root cause is improper privilege management within the CLI command handlers. Specific commands accessible to authenticated users delegate execution to OS-level processes without sufficiently validating that the invoking user holds the privileges required for the underlying action. The CLI effectively acts as a confused deputy, executing privileged operations on behalf of unprivileged callers.
Attack Vector
An attacker first obtains valid credentials for the EdgeConnect gateway CLI, which can be achieved through credential theft, phishing, reused passwords, or a compromised low-privilege operator account. The attacker then connects to the CLI over the network and issues the affected command sequence, which triggers execution of arbitrary commands as root. No user interaction is required, and exploitation complexity is low. Refer to the HPE Support Document for technical specifics not disclosed publicly.
No public proof-of-concept exploit has been published. The EPSS probability is 0.267% (50th percentile) as of 2026-05-25, reflecting low observed exploit activity at this time.
Detection Methods for CVE-2025-37123
Indicators of Compromise
- Unexpected CLI sessions from operator-tier accounts followed by privilege-sensitive command execution
- Shell or system processes spawned by the CLI service running as root outside of normal maintenance windows
- New or modified files in system directories, cron entries, or SSH authorized_keys on the gateway
- Configuration changes to routing, ACLs, or tunnel endpoints without a corresponding change ticket
Detection Strategies
- Centralize CLI audit logs from EdgeConnect gateways and alert on commands that transition to elevated execution contexts
- Baseline normal CLI command patterns per user role and flag deviations, especially commands rarely used by operator accounts
- Correlate authentication events with subsequent privileged operations to identify anomalous escalation sequences
Monitoring Recommendations
- Forward gateway syslog and CLI command history to a SIEM for long-term retention and correlation
- Monitor outbound connections from the gateway management plane to non-management destinations
- Track firmware version and configuration drift across the SD-WAN fleet to detect unauthorized changes
How to Mitigate CVE-2025-37123
Immediate Actions Required
- Apply the fixed firmware published by HPE for EdgeConnect SD-WAN Gateways as described in the HPE Support Document
- Restrict CLI access to a dedicated management network and trusted jump hosts
- Rotate credentials for all CLI users and enforce multi-factor authentication where supported
- Audit existing local accounts and remove unused or shared operator accounts
Patch Information
HPE has released firmware updates addressing CVE-2025-37123. Administrators should consult the HPE Support Document for affected versions and the corresponding fixed builds, then schedule upgrades across all gateways in the SD-WAN fabric.
Workarounds
- Limit CLI exposure by binding management interfaces to out-of-band networks only
- Apply least-privilege role assignments so that operational tasks do not require interactive CLI access
- Enable session logging and command accounting to deter and detect misuse pending patch deployment
# Configuration example: restrict CLI access to a management subnet
# (Adapt to EdgeConnect CLI syntax in your firmware version)
configure terminal
access-list mgmt-acl permit tcp 10.10.0.0/24 any eq 22
access-list mgmt-acl deny tcp any any eq 22
interface mgmt0
ip access-group mgmt-acl in
exit
end
write memory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
