CVE-2022-37913 is a critical remote authentication bypass vulnerability affecting multiple versions of Aruba EdgeConnect Enterprise Orchestrator, including on-premises deployments, as-a-service offerings, service provider versions, and global enterprise tenant orchestrators. The vulnerability resides in the web-based management interface of the Orchestrator, which is responsible for centralized management and orchestration of Aruba EdgeConnect SD-WAN solutions. An unauthenticated remote attacker can exploit this flaw to bypass the authentication mechanism entirely, gaining administrative privileges without valid credentials. This leads to a complete compromise of the affected Orchestrator instance. The affected versions include 9.1.2.40051 and below, 9.0.7.40108 and below, 8.10.23.40009 and below, and older branches not specifically enumerated. The vulnerability is classified under CWE-287 (Improper Authentication). The CVSS v3.1 base score is 9.8 (critical), reflecting the vulnerability's high impact on confidentiality, integrity, and availability, with no required privileges or user interaction and remote network attack vector. Although no public exploits have been reported in the wild as of the publication date, the severity and ease of exploitation make this a significant threat to organizations using Aruba EdgeConnect Enterprise Orchestrator. Successful exploitation could allow attackers to manipulate network configurations, intercept or redirect traffic, deploy malicious policies, or disrupt network operations, potentially affecting the entire SD-WAN infrastructure managed by the Orchestrator.

For European organizations, this vulnerability poses a severe risk due to the widespread adoption of Aruba EdgeConnect SD-WAN solutions in enterprise and service provider environments. Compromise of the Orchestrator can lead to unauthorized control over network traffic routing, exposure of sensitive data traversing the SD-WAN, and disruption of critical business communications. Given the centralized nature of the Orchestrator, a successful attack could cascade across multiple sites and business units, amplifying the impact. This is particularly critical for sectors with strict data protection regulations such as finance, healthcare, and government agencies in Europe, where confidentiality and integrity of data are paramount. Additionally, disruption of network availability could affect business continuity and compliance with regulatory requirements like GDPR. The lack of authentication requirement and remote exploitability increase the likelihood of attacks, especially if the management interface is exposed to untrusted networks or insufficiently segmented internal networks.

European organizations should prioritize immediate assessment and remediation of affected Aruba EdgeConnect Enterprise Orchestrator deployments. Specific mitigation steps include: 1) Applying the latest patches or updates from Aruba Networks as soon as they become available to address CVE-2022-37913. 2) Restricting access to the Orchestrator management interface by implementing network segmentation and firewall rules to limit access to trusted administrative networks only. 3) Employing VPNs or secure tunnels for remote management access to reduce exposure. 4) Enabling multi-factor authentication (MFA) where supported to add an additional layer of security. 5) Monitoring Orchestrator logs and network traffic for unusual authentication bypass attempts or administrative actions. 6) Conducting regular vulnerability scans and penetration tests focused on management interfaces. 7) Reviewing and minimizing the number of users with administrative privileges to reduce potential attack surface. 8) Implementing strict change management and incident response plans tailored to SD-WAN infrastructure. These measures go beyond generic advice by focusing on access control hardening, proactive monitoring, and operational security tailored to the specific product and vulnerability.