Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-37184

CVE-2025-37184: Arubanetworks EdgeConnect MFA Bypass

CVE-2025-37184 is an authentication bypass vulnerability in Arubanetworks EdgeConnect SD-WAN Orchestrator that allows attackers to bypass MFA and create admin accounts. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-37184 Overview

A critical authentication bypass vulnerability exists in the Aruba EdgeConnect SD-WAN Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication (MFA) requirements. Successful exploitation could allow an attacker to create an administrative user account without completing the necessary multi-factor authentication challenge, thereby compromising the integrity of secured access to the system.

Critical Impact

This vulnerability enables complete bypass of MFA controls, allowing attackers to create privileged admin accounts and gain unauthorized access to SD-WAN management infrastructure.

Affected Products

  • Aruba EdgeConnect SD-WAN Orchestrator (multiple versions)
  • Aruba EdgeConnect SD-WAN Orchestrator version 9.6.0
  • HPE Aruba Networking EdgeConnect SD-WAN Orchestrator

Discovery Timeline

  • January 14, 2026 - CVE-2025-37184 published to NVD
  • January 20, 2026 - Last updated in NVD database

Technical Details for CVE-2025-37184

Vulnerability Analysis

This vulnerability is classified under CWE-287 (Improper Authentication), indicating a fundamental flaw in how the Orchestrator service validates authentication sequences. The vulnerability exists within the account provisioning workflow of the EdgeConnect SD-WAN Orchestrator, where an improper authentication state check allows attackers to circumvent the MFA enforcement mechanism.

The flaw allows unauthenticated attackers operating remotely over the network to bypass multi-factor authentication entirely when creating administrative accounts. This represents a severe security risk as MFA is typically deployed as a critical security control to prevent unauthorized access even when primary credentials are compromised.

The attack requires no privileges and no user interaction, making it particularly dangerous for internet-exposed Orchestrator instances. An attacker can achieve high confidentiality, integrity, and availability impact by creating unauthorized admin accounts that provide full system control.

Root Cause

The root cause stems from improper authentication flow validation within the Orchestrator service. The system fails to properly enforce the MFA verification step during administrative account creation, allowing the authentication process to complete without the second factor being validated. This represents a critical logic flaw in the authentication state machine that allows bypassing mandatory security controls.

Attack Vector

The attack can be executed remotely over the network without requiring any prior authentication or user interaction. An attacker targets the EdgeConnect SD-WAN Orchestrator's account management endpoint and exploits the improper authentication validation to create an administrative user account. The attack sequence bypasses the MFA challenge entirely, granting the attacker full administrative access to the SD-WAN infrastructure.

The vulnerability allows attackers to:

  1. Access the Orchestrator service remotely
  2. Initiate administrative account creation
  3. Bypass MFA verification requirements
  4. Successfully create a privileged admin account
  5. Gain unauthorized access to manage the SD-WAN environment

Detection Methods for CVE-2025-37184

Indicators of Compromise

  • Unexpected administrative user accounts appearing in the Orchestrator user management console
  • Authentication logs showing admin account creation events without corresponding MFA challenge completions
  • API access logs indicating direct calls to account provisioning endpoints from unexpected sources
  • Audit trail entries showing administrative actions from recently created accounts with no legitimate business justification

Detection Strategies

  • Monitor Orchestrator authentication logs for account creation events that lack MFA verification records
  • Implement alerting for any new administrative account creation outside of normal change windows
  • Review audit logs for administrative API calls originating from unusual IP addresses or geographic locations
  • Deploy network monitoring to detect anomalous traffic patterns to Orchestrator management interfaces

Monitoring Recommendations

  • Enable verbose logging on all EdgeConnect SD-WAN Orchestrator instances
  • Configure SIEM rules to correlate account creation events with MFA completion status
  • Establish baseline administrative user accounts and alert on any deviations
  • Implement real-time monitoring of authentication endpoints for suspicious activity patterns

How to Mitigate CVE-2025-37184

Immediate Actions Required

  • Review the HPE Security Advisory for official guidance and apply available patches immediately
  • Audit all administrative accounts on affected Orchestrator instances and remove any unauthorized users
  • Restrict network access to Orchestrator management interfaces using firewall rules or VPN requirements
  • Enable enhanced logging and monitoring on all Orchestrator instances pending patch deployment

Patch Information

HPE Aruba Networking has released a security advisory addressing this vulnerability. Organizations should consult the HPE Security Advisory for specific patch versions and upgrade instructions. Apply the vendor-provided security updates as the primary remediation for this vulnerability.

Workarounds

  • Implement network segmentation to restrict access to Orchestrator management interfaces to trusted administrative networks only
  • Deploy a web application firewall (WAF) in front of Orchestrator instances to filter potentially malicious requests
  • Enforce strict IP allowlisting for all administrative access to Orchestrator services
  • Consider temporarily disabling remote administrative access until patches can be applied if operational requirements permit
bash
# Network access restriction example (firewall rule concept)
# Restrict Orchestrator management interface to trusted admin networks only
# Replace with your specific firewall syntax and trusted IP ranges
# iptables -A INPUT -p tcp --dport 443 -s <trusted_admin_network> -j ACCEPT
# iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne