CVE-2025-37184 PUBLISHED

Unauthenticated Bypass Allows Multi-Factor Authentication Circumvention

Assigner: hpe
Reserved: 16.04.2025 Published: 14.01.2026 Updated: 03.03.2026

A vulnerability exists in an Orchestrator service that could allow an unauthenticated remote attacker to bypass multi-factor authentication requirements. Successful exploitation could allow an attacker to create an admin user account without the necessary multi-factor authentication, thereby compromising the integrity of secured access to the system.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Hewlett Packard Enterprise (HPE)
Product	EdgeConnect SD-WAN Orchestrator
Versions	Default: affected affected from 9.5.0 to 9.6.0 (incl.) affected from 9.4.0 to 9.4.4 (incl.)

Credits

Nicholas Starke reporter

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US