Authenticated Remote Code Execution in EdgeConnect SD-WAN Orchestrator Web-Based Management Interface
CVE-2023-37427

7.2HIGH

Key Information:

Vendor: HP
Status: Edgeconnect Sd-wan Orchestrator
Vendor: CVE Published:; 22 August 2023

Summary

A security flaw in the web-based management interface of EdgeConnect SD-WAN Orchestrator allows authenticated remote attackers to execute arbitrary commands on the host system. This could potentially compromise the entire system by enabling full root access to the underlying operating system.

Affected Version(s)

EdgeConnect SD-WAN Orchestrator Orchestrator 9.3.x

EdgeConnect SD-WAN Orchestrator Orchestrator 9.2.x

References

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 22, 2023
Vulnerability Reserved
Jul 5, 2023

Credit

Daniel Jensen (@dozernz)