CVE-2025-37184 is a vulnerability identified in Hewlett Packard Enterprise's EdgeConnect SD-WAN Orchestrator, specifically affecting versions 9.4.0 and 9.5.0. The flaw resides in an Orchestrator service that improperly enforces multi-factor authentication (MFA) requirements. An unauthenticated remote attacker with limited privileges can exploit this vulnerability to bypass MFA controls, allowing the creation of a new administrative user account without completing the required MFA process. This bypass undermines the integrity of the system's access control mechanisms, potentially granting the attacker full administrative privileges on the orchestrator. The vulnerability has a CVSS 3.1 base score of 6.5, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), high integrity impact (I:H), and no availability impact (A:N). Although no known exploits are currently reported in the wild, the potential for privilege escalation and administrative account creation makes this a significant risk. The orchestrator is a critical component in managing SD-WAN deployments, and unauthorized administrative access could lead to manipulation of network traffic, configuration changes, or disruption of network services. The vulnerability was reserved in April 2025 and published in January 2026, indicating a recent discovery. No official patches or mitigations are listed yet, emphasizing the need for immediate attention from affected organizations.

For European organizations, this vulnerability poses a substantial risk to the integrity of SD-WAN network management. Successful exploitation could allow attackers to gain unauthorized administrative access, potentially leading to unauthorized configuration changes, interception or rerouting of sensitive network traffic, or disruption of network operations. Given the critical role of SD-WAN orchestrators in managing enterprise-wide network connectivity, such compromise could affect business continuity, data integrity, and compliance with regulatory requirements such as GDPR. Organizations in sectors with stringent security needs—such as finance, healthcare, energy, and government—are particularly vulnerable. The lack of confidentiality and availability impact reduces the risk of data leakage or denial of service directly from this vulnerability, but the integrity compromise could facilitate further attacks or persistent access. The medium CVSS score reflects the need for timely remediation but indicates that exploitation requires some level of privilege, limiting the attack surface to some extent. However, the absence of user interaction and network-based attack vector increase the likelihood of remote exploitation once an attacker gains low-level access.

1. Monitor HPE's official channels closely for patches or security advisories addressing CVE-2025-37184 and apply updates promptly once available. 2. Restrict network access to the EdgeConnect SD-WAN Orchestrator management interfaces using network segmentation, firewall rules, and VPNs to limit exposure to trusted administrators only. 3. Implement strict access control policies and audit logging to detect unauthorized account creations or privilege escalations. 4. Employ anomaly detection tools to monitor for unusual administrative activities or configuration changes within the orchestrator environment. 5. Enforce strong authentication policies beyond MFA, such as certificate-based authentication or hardware tokens, if supported by the platform. 6. Conduct regular security assessments and penetration testing focused on SD-WAN infrastructure to identify potential exploitation paths. 7. Educate network and security teams about this vulnerability and ensure incident response plans include scenarios involving orchestrator compromise. 8. Consider temporary compensating controls such as disabling remote administrative access or limiting it to jump hosts until patches are applied.