"CVE-2025-37125: HPE Aruba Networking EdgeConnect SD-WAN Firewall-Bypass Flaw (HPESBNW04943) — What to Patch"

What happened
On November 18, 2025, HPE Aruba Networking published security bulletin HPESBNW04943, disclosing multiple vulnerabilities in HPE Aruba Networking EdgeConnect SD-WAN gateways (the EdgeConnect OS / "ECOS" software that runs on EdgeConnect Enterprise appliances). One of those issues is CVE-2025-37125, a broken access control vulnerability (CWE-284) in the gateway's firewall configuration handling. Under the right conditions, it can allow traffic to bypass firewall protections and be handled improperly — undermining a control that SD-WAN edge devices are specifically deployed to enforce.
A note on scope before we go further, because it matters for accurate remediation. This post's URL slug references "Aruba AOS-8 / AOS-10." Based on the authoritative sources — NVD, the HPE PSIRT bulletin, and national CERT advisories — CVE-2025-37125 is an EdgeConnect SD-WAN / EdgeConnect OS vulnerability, not an ArubaOS controller (AOS-8/AOS-10) vulnerability. The AOS-8/AOS-10 Mobility Conductor and controller fixes are tracked under a separate bulletin, HPESBNW04987, covering a different set of CVEs (the CVE-2025-37168 family). If you run AOS-8/AOS-10 controllers, see HPESBNW04987; if you run EdgeConnect SD-WAN gateways, this post and HPESBNW04943 are what apply to you. We have written this to the verified facts rather than the slug.
Affected products and versions
CVE-2025-37125 affects EdgeConnect OS release streams as listed by HPE and NVD. The fixed builds are the first releases on each maintained branch that resolve the issue.
| Product | Affected | Fixed |
|---|---|---|
| HPE Aruba EdgeConnect SD-WAN (ECOS) 9.5 stream | 9.5.0.0 through 9.5.3.6 | 9.5.4.1 and later |
| HPE Aruba EdgeConnect SD-WAN (ECOS) 9.4 stream | 9.4.0.0 through 9.4.3.7 | 9.4.4.2 and later |
| HPE Aruba EdgeConnect SD-WAN (ECOS) 9.3.x and earlier | End of maintenance (per HPE) | No patch — upgrade to a supported stream |
HPE lists ECOS 9.3.x.x and older release streams as out of maintenance. Those branches will not receive a fix for CVE-2025-37125, so the only remediation is upgrading to a supported, patched stream (9.4.4.2+ or 9.5.4.1+).
How serious is it
CVE-2025-37125 carries a CVSS v3.1 base score of 7.5 (High), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. In plain terms: it is network-reachable, low-complexity, and requires no privileges and no user interaction, with a high impact to confidentiality. The weakness type is CWE-284, Improper Access Control.
CVE-2025-37125 is one of several flaws batched into HPESBNW04943. The companion issues range from medium to high severity and include authenticated command injection and remote code execution paths on the same gateways — for example CVE-2025-37123 (CVSS 8.8) and CVE-2025-37124 (CVSS 8.6). Because these ship in the same fixed builds, treat the advisory as a single remediation event rather than patching one CVE at a time.
As of this writing, CVE-2025-37125 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and we found no public reports of active exploitation. That can change, and "no known exploitation" is not "low risk" — a firewall-bypass on an internet-facing SD-WAN edge is exactly the kind of foothold that gets weaponized after disclosure. Patch on the normal urgent track, not the someday track.
Am I exposed?
You are potentially exposed if all of the following are true:
- You operate HPE Aruba Networking EdgeConnect SD-WAN gateways (EdgeConnect Enterprise appliances or virtual gateways), and
- They run EdgeConnect OS in an affected range: any 9.5.x build up to and including 9.5.3.6, any 9.4.x build up to and including 9.4.3.7, or any 9.3.x or earlier stream.
To check, confirm the running ECOS version on each gateway through Orchestrator (the SD-WAN management plane) or the gateway CLI/web UI, and compare against the table above. Pay particular attention to gateways at internet edges, branch sites, and any device whose management or data interfaces are reachable from untrusted networks. If you are an AOS-8/AOS-10 controller shop and arrived here from the slug, you are looking for HPESBNW04987 instead — your fixed versions and CVEs are different.
How to fix it
- Upgrade EdgeConnect OS to a fixed build. Move 9.5.x gateways to 9.5.4.1 or later and 9.4.x gateways to 9.4.4.2 or later. These builds resolve CVE-2025-37125 along with the rest of HPESBNW04943.
- If you are on ECOS 9.3.x or older, there is no patch — plan an upgrade to a supported, fixed stream. Out-of-maintenance branches will keep accumulating unfixed CVEs.
- Reduce exposure in the interim. HPE's general guidance for EdgeConnect hardening applies: restrict access to gateway management interfaces to trusted networks/jump hosts, and limit which networks can reach the device. There is no documented standalone workaround for this specific firewall-bypass flaw, so mitigation is about shrinking reachability until the patch lands — it is not a substitute for upgrading.
- Validate after patching. Re-check the running version on every gateway and confirm your firewall/security policies behave as intended post-upgrade. Schedule maintenance windows per site given that SD-WAN gateways carry production traffic.
Always confirm exact fixed-build numbers against the live HPESBNW04943 bulletin before scheduling, since HPE revises advisories as new builds publish.
How Uniqcli helps
Uniqcli is an authorized HPE, HPE Aruba Networking, and HPE Juniper Networking reseller, and we support federal, SLED, healthcare, and enterprise customers through every stage of this kind of remediation:
- Assess exposure. We can help you inventory EdgeConnect gateways and ECOS versions across sites and map them against HPESBNW04943 (and, separately, AOS-8/AOS-10 controllers against HPESBNW04987) so you know exactly what needs to move.
- Source patched and replacement hardware. For gateways on end-of-maintenance ECOS 9.3.x and older — or hardware approaching end of support — we can quote and source supported, patchable EdgeConnect platforms.
- Support the upgrade. We coordinate licensing, Orchestrator-driven rollouts, and maintenance planning with HPE Aruba so production SD-WAN traffic stays protected during the change.
- Compliant procurement. All of this is available through TAA-compliant, GSA, and SEWP vehicles for public-sector buyers, with documentation to match.
If you run EdgeConnect SD-WAN (or AOS-8/AOS-10 controllers) and want a fast read on exposure and a remediation plan, reach out to Uniqcli and we will help you scope it.
Sources
- HPE PSIRT — HPESBNW04943: HPE Aruba Networking EdgeConnect SD-WAN Gateways multiple vulnerabilities
- NVD — CVE-2025-37125 detail
- securityonline.info — Multiple high-severity vulnerabilities found in HPE Aruba Networking EdgeConnect SD-WAN gateways
- Canadian Centre for Cyber Security — HPE security advisory (AV25-597)
- HPE PSIRT — HPESBNW04987: Multiple vulnerabilities in HPE Aruba Networking AOS-8 and AOS-10 (separate, controller-focused advisory)
- CISA Known Exploited Vulnerabilities Catalog (CVE-2025-37125 not listed as of publication)