Critical Vulnerability Information Vulnerability Overview Vulnerability ID: HPESBNW04992 rev.1 Product: HPE Aruba Networking EdgeConnect SD-WAN Orchestrator Release Date: 2026-01-13 Status: Confirmed Severity: High Affected Product Versions EdgeConnect SD-WAN Orchestrator: - 9.6.x: 9.6.0 - 9.5.x: 9.5.5 and below - 9.4.x: 9.4.4 and below Vulnerability Details 1. CVE-2025-37181, CVE-2025-37182, CVE-2025-37183 - Type: Authenticated SQL Injection Vulnerabilities - Severity: High - CVSSv3.1 Base Score: 7.2 - Description: Vulnerabilities in the network management interface allow authenticated remote attackers to perform SQL injection attacks. 2. CVE-2025-37184 - Type: Unauthenticated Bypass Allows Multi-Factor Authentication Circumvention - Severity: Medium - CVSSv3.1 Base Score: 6.5 - Description: A vulnerability in the Orchestrator service allows unauthenticated remote attackers to bypass multi-factor authentication requirements. 3. CVE-2025-37185 - Type: Authenticated Stored Cross-Site Scripting Vulnerabilities (XSS) - Severity: Medium - CVSSv3.1 Base Score: 5.5 - Description: Vulnerabilities in the network management interface allow authenticated remote attackers to perform stored cross-site scripting attacks. Remediation Recommended Upgrade to: - EdgeConnect SD-WAN Orchestrator 9.6.x: 9.6.1 and above - EdgeConnect SD-WAN Orchestrator 9.5.x: 9.5.6 and above End-of-Life Versions: - EdgeConnect SD-WAN Orchestrator 9.3.x - EdgeConnect SD-WAN Orchestrator 9.2.x