Cyber Posture

CVE-2025-37184

Critical

Published: 14 January 2026

Published
14 January 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0031 54.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby compromising the integrity…

more

of secured access to the system.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 explicitly restricts user-executable actions without identification or authentication, directly preventing unauthenticated admin account creation exploited by this CVE.

IA-2 Identification and Authentication (Organizational Users) good match
prevent

IA-2 mandates identification and authentication including MFA for organizational users, countering the improper authentication and MFA bypass in the Orchestrator service.

AC-2 Account Management good match
prevent

AC-2 enforces management of accounts including creation and privileged account provisioning, mitigating unauthorized admin account establishment without authentication.

Security SummaryAI

CVE-2025-37184, published on 2026-01-14, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in an Orchestrator service stemming from improper authentication (CWE-287). The flaw enables an unauthenticated remote attacker to bypass multi-factor authentication requirements, allowing the creation of an admin user account without the necessary MFA verification and thereby undermining the integrity of secured system access.

The attack scenario targets unauthenticated attackers with network access, requiring no privileges, user interaction, or special conditions due to the low attack complexity. Exploitation grants the ability to establish persistent administrative access by creating a privileged account, potentially leading to high confidentiality, integrity, and availability impacts across the affected system.

HPE provides mitigation details, including patches and advisories, in their security bulletin at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US.

Details

CWE(s)
CWE-287

Affected Products

arubanetworks
edgeconnect sd-wan orchestrator
9.6.0 · 9.2.0 — 9.2.10 · 9.3.0 — 9.3.6 · 9.4.0 — 9.4.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
attack.mitre.org →
Why these techniques?

Unauthenticated remote exploitation of orchestrator service bypasses MFA to create admin accounts, directly enabling T1190 (Exploit Public-Facing Application) and T1136 (Create Account).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References