CVE-2025-37184
Published: 14 January 2026
Summary
CVE-2025-37184 is a critical-severity Improper Authentication (CWE-287) vulnerability in Arubanetworks Edgeconnect Sd-Wan Orchestrator. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly restricts user-executable actions without identification or authentication, directly preventing unauthenticated admin account creation exploited by this CVE.
IA-2 mandates identification and authentication including MFA for organizational users, countering the improper authentication and MFA bypass in the Orchestrator service.
AC-2 enforces management of accounts including creation and privileged account provisioning, mitigating unauthorized admin account establishment without authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of orchestrator service bypasses MFA to create admin accounts, directly enabling T1190 (Exploit Public-Facing Application) and T1136 (Create Account).
NVD Description
A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby compromising the integrity…
more
of secured access to the system.
Deeper analysisAI
CVE-2025-37184, published on 2026-01-14, is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in an Orchestrator service stemming from improper authentication (CWE-287). The flaw enables an unauthenticated remote attacker to bypass multi-factor authentication requirements, allowing the creation of an admin user account without the necessary MFA verification and thereby undermining the integrity of secured system access.
The attack scenario targets unauthenticated attackers with network access, requiring no privileges, user interaction, or special conditions due to the low attack complexity. Exploitation grants the ability to establish persistent administrative access by creating a privileged account, potentially leading to high confidentiality, integrity, and availability impacts across the affected system.
HPE provides mitigation details, including patches and advisories, in their security bulletin at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US.
Details
- CWE(s)