Unauthenticated Remote Code Execution in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface
CVE-2023-37424

8.1HIGH

Key Information:

Vendor: HP
Status: Edgeconnect Sd-wan Orchestrator
Vendor: CVE Published:; 22 August 2023

Summary

The web-based management interface of Aruba Networks' EdgeConnect SD-WAN Orchestrator contains a vulnerability that enables an unauthenticated attacker to execute arbitrary commands on the underlying operating system. This may occur if specific preconditions are met that are beyond the attacker's control. Successful exploitation could lead to significant security breaches, including full system compromise, making it essential for organizations to promptly patch this vulnerability.

Affected Version(s)

EdgeConnect SD-WAN Orchestrator Orchestrator 9.3.x

EdgeConnect SD-WAN Orchestrator Orchestrator 9.2.x

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 22, 2023
Vulnerability Reserved
Jul 5, 2023

Credit

Daniel Jensen (@dozernz)