Cyber Resilience

CVE-2025-37184

Critical

Published: 14 January 2026

Published
14 January 2026
Modified
03 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0057 42.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-37184 is a critical-severity Improper Authentication (CWE-287) vulnerability in Arubanetworks Edgeconnect Sd-Wan Orchestrator. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).

Deeper analysis

CVE-2025-37184, published on 2026-01-14, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in an Orchestrator service stemming from improper authentication (CWE-287). The flaw enables an unauthenticated remote attacker to bypass multi-factor authentication requirements, allowing the creation of an admin user account without the necessary MFA verification and thereby undermining the integrity of secured system access.

The attack scenario targets unauthenticated attackers with network access, requiring no privileges, user interaction, or special conditions due to the low attack complexity. Exploitation grants the ability to establish persistent administrative access by creating a privileged account, potentially leading to high confidentiality, integrity, and availability impacts across the affected system.

HPE provides mitigation details, including patches and advisories, in their security bulletin at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby compromising the integrity…

more

of secured access to the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1136 Create Account Persistence
Adversaries may create an account to maintain access to victim systems.
Why these techniques?

Unauthenticated remote exploitation of orchestrator service bypasses MFA to create admin accounts, directly enabling T1190 (Exploit Public-Facing Application) and T1136 (Create Account).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-37181Same product: Arubanetworks Edgeconnect Sd-Wan Orchestrator
CVE-2025-37182Same product: Arubanetworks Edgeconnect Sd-Wan Orchestrator
CVE-2025-37183Same product: Arubanetworks Edgeconnect Sd-Wan Orchestrator
CVE-2025-37173Same vendor: Arubanetworks
CVE-2026-44852Same vendor: Arubanetworks
CVE-2026-44854Same vendor: Arubanetworks
CVE-2025-37169Same vendor: Arubanetworks
CVE-2026-44862Same vendor: Arubanetworks
CVE-2026-23827Same vendor: Arubanetworks
CVE-2026-44869Same vendor: Arubanetworks

Affected Assets

arubanetworks
edgeconnect sd-wan orchestrator
9.6.0 · 9.2.0 — 9.2.10 · 9.3.0 — 9.3.6 · 9.4.0 — 9.4.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 explicitly restricts user-executable actions without identification or authentication, directly preventing unauthenticated admin account creation exploited by this CVE.

prevent

IA-2 mandates identification and authentication including MFA for organizational users, countering the improper authentication and MFA bypass in the Orchestrator service.

prevent

AC-2 enforces management of accounts including creation and privileged account provisioning, mitigating unauthorized admin account establishment without authentication.

References