Authentication Bypass in HPE Orchestrator Service
CVE-2025-37184

9.8CRITICAL

Key Information:

Vendor: HP (HP)
Status: Edgeconnect Sd-wan Orchestrator
Vendor: CVE Published:; 14 January 2026

What is CVE-2025-37184?

A vulnerability has been identified within the HPE Orchestrator Service that permits an unauthenticated remote attacker to bypass essential multi-factor authentication protocols. This flaw allows for the creation of an admin user account without adhering to the required multi-factor authentication steps, significantly jeopardizing the security and integrity of the system's access control mechanisms.

Affected Version(s)

EdgeConnect SD-WAN Orchestrator 9.5.0 <= 9.6.0

EdgeConnect SD-WAN Orchestrator 9.4.0 <= 9.4.4

References

https://support.hpe.com/hpesc/public/docDisplay?docId=hpe...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 14, 2026
Vulnerability Reserved
Apr 16, 2025

Credit

Nicholas Starke

CVE-2025-37184 Data

JSON

HP (HP)

What is CVE-2025-37184?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit