CVE-2025-37184 is a critical security vulnerability identified in Hewlett Packard Enterprise's EdgeConnect SD-WAN Orchestrator, specifically affecting versions 9.4.0 and 9.5.0. The flaw resides in an Orchestrator service that improperly enforces multi-factor authentication (MFA) requirements, allowing an unauthenticated remote attacker to bypass MFA protections entirely. This bypass enables the attacker to create a new administrative user account without undergoing the intended MFA verification process, effectively granting full administrative privileges. The vulnerability is categorized under CWE-287 (Improper Authentication), indicating a failure in correctly verifying user identity before granting access. The CVSS v3.1 base score of 9.1 highlights the vulnerability's critical nature, with attack vector being network-based (AV:N), no privileges required (PR:N), no user interaction needed (UI:N), and a scope unchanged (S:U). The impact primarily compromises integrity (I:H) and availability (A:H) of the system, as unauthorized admin access can lead to malicious configuration changes, service disruption, or further lateral movement within the network. Although no public exploits have been reported yet, the vulnerability's characteristics make it highly exploitable. The affected product, HPE EdgeConnect SD-WAN Orchestrator, is a key component in managing SD-WAN deployments, which are critical for enterprise network performance and security. The lack of currently available patches necessitates immediate attention to monitoring and mitigation strategies to reduce exposure.

The vulnerability poses a severe risk to organizations using HPE EdgeConnect SD-WAN Orchestrator, as it allows attackers to gain unauthorized administrative access without MFA, undermining the system's security controls. This can lead to unauthorized configuration changes, interception or redirection of network traffic, disruption of SD-WAN services, and potential compromise of connected network segments. The integrity of network management is directly threatened, and availability can be impacted if attackers disable or degrade orchestrator functions. Enterprises relying on SD-WAN for secure, reliable connectivity—especially those in sectors like finance, healthcare, government, and critical infrastructure—face heightened risk of operational disruption and data compromise. The ease of exploitation (no authentication or user interaction required) and remote attack vector increase the likelihood of widespread exploitation once public exploits emerge. The absence of patches further exacerbates the threat, potentially allowing attackers to establish persistent footholds and escalate privileges within enterprise networks.

Organizations should immediately assess their use of HPE EdgeConnect SD-WAN Orchestrator versions 9.4.0 and 9.5.0 and prioritize risk mitigation. Until official patches are released, implement network-level access controls to restrict access to the Orchestrator management interface to trusted IP addresses and VPNs only. Enable and enforce strict logging and monitoring of all administrative account creations and authentication attempts to detect suspicious activity promptly. Consider deploying Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS) with custom rules to detect and block attempts to exploit MFA bypass behavior. Review and tighten existing MFA policies and consider additional layers of identity verification where possible. Engage with HPE support channels to obtain updates on patch availability and apply them immediately upon release. Conduct thorough audits of existing administrative accounts to identify and remove any unauthorized users. Finally, incorporate this vulnerability into incident response plans and conduct tabletop exercises to prepare for potential exploitation scenarios.