"Aruba EdgeConnect SD-WAN CVE-2025-37123: Authenticated Root Command Execution on Gateways"

What happened
On September 16, 2025, HPE published security advisory hpesbnw04943 covering a set of vulnerabilities in HPE Aruba Networking EdgeConnect SD-WAN gateways. The most attention-getting of the group is CVE-2025-37123, a flaw in the gateway's command-line interface (CLI) that allows an authenticated remote attacker to escalate privileges and execute arbitrary system commands as root on the underlying operating system.
In plain terms: a user who can already log in to the CLI — at any privilege level — can break out and take full control of the box. EdgeConnect gateways sit at the edge of branch, campus, and data-center networks and steer WAN traffic, so a compromised gateway is a serious foothold. NVD classifies the issue as CWE-269 (Improper Privilege Management).
CVE-2025-37123 does not stand alone. The same advisory bundles a cluster of related issues (CVE-2025-37123 through CVE-2025-37131), several of which also lead to command execution or firewall-policy bypass. All of them are fixed in the same software releases, so the practical takeaway is one decision: get to a patched version.
Affected products and versions
The vulnerability affects the EdgeConnect SD-WAN gateway software. Per NVD and the HPE advisory, the affected and fixed versions are:
| Product | Affected | Fixed |
|---|---|---|
| HPE Aruba Networking EdgeConnect SD-WAN (9.5.x branch) | 9.5.0.0 through 9.5.3.6 | 9.5.4.1 and above |
| HPE Aruba Networking EdgeConnect SD-WAN (9.4.x branch) | 9.4.0.0 through 9.4.3.7 | 9.4.4.2 and above |
If you are on an older branch (9.3.x or earlier) that no longer receives fixes, HPE's guidance is to move to a supported, patched release. Confirm your specific build against the official advisory before planning the upgrade.
How serious is it
CVE-2025-37123 carries a CVSS v3.1 base score of 8.8 (High) with vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. That breakdown matters:
- Network attack vector, low complexity — reachable remotely with no special conditions.
- Low privileges required, no user interaction — the attacker needs valid credentials, but only low-level ones, and nobody has to be tricked into clicking anything.
- High confidentiality, integrity, and availability impact — successful exploitation yields root, which means full compromise of the gateway.
The "authentication required" qualifier is the one piece of good news, and it is genuinely meaningful. This is not a pre-auth, internet-wide worm scenario. The real risk is an insider, a contractor, a reused or weak credential, or an attacker who has already phished a management login — any of whom could turn limited CLI access into root.
For context, the companion bugs in the advisory include CVE-2025-37124 (CVSS 8.6), an unauthenticated firewall/access bypass, and several authenticated command-execution and information-disclosure issues in the 6.x–7.x range. The unauthenticated bypass is worth noting because it lowers the bar for the chain overall.
Exploitation status: As of publication, these vulnerabilities are not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, and HPE has stated it is not aware of any active exploitation. That can change, so the patch timeline should not wait for a KEV listing. We were not able to confirm any public proof-of-concept exploit; treat that as "unconfirmed" rather than "safe."
Am I exposed?
You are likely affected if all of the following are true:
- You run HPE Aruba Networking EdgeConnect SD-WAN gateways (the Silver Peak-lineage platform), and
- Your software version falls inside one of the affected ranges above (9.5.0.0–9.5.3.6 or 9.4.0.0–9.4.3.7), and
- The CLI / management interface is reachable by any account holder who should not have root.
To check your version, review the running software build in Orchestrator or on the gateway itself and compare it to the table above. If you manage fleets through HPE Aruba Networking Orchestrator (formerly Silver Peak Unity Orchestrator), inventory every gateway — mixed-version fleets are common, and one unpatched branch office is enough.
Because the primary vulnerability is authenticated, also audit who can reach the CLI and management plane today, and whether those accounts use shared or weak credentials.
How to fix it
Patch. This is the only complete remediation. Upgrade affected gateways to a fixed release:
- 9.5.x branch → 9.5.4.1 or later
- 9.4.x branch → 9.4.4.2 or later
Older, unsupported branches should be migrated to one of the patched releases above.
Interim mitigations (risk reduction only — not a substitute for patching). HPE and independent advisories recommend tightening access to the management plane while you schedule upgrades:
- Restrict CLI and web management access to a dedicated, isolated management VLAN.
- Apply IP allow-listing so only known administrative hosts can reach the management interfaces.
- Enforce strong, centralized authentication via RADIUS or TACACS+, and remove or rotate shared and default credentials.
- Route management traffic through secured tunnels and keep the management plane off the public internet.
These steps shrink the population of accounts and networks that can reach the vulnerable CLI, which directly limits who could exploit CVE-2025-37123. Plan the upgrade as the durable fix.
How Uniqcli helps
Uniqcli is an authorized reseller of HPE, HPE Aruba Networking, and HPE Juniper Networking, working with US federal, SLED, healthcare, and enterprise customers. For an advisory like this we can:
- Assess your exposure — inventory your EdgeConnect SD-WAN fleet, identify which gateways fall in the affected version ranges, and prioritize by exposure and mission criticality.
- Source patched or replacement hardware — if any gateways are end-of-support and cannot reach a fixed release, we can quote current, supported EdgeConnect platforms and licensing.
- Support the upgrade — coordinate the move to 9.5.4.1 / 9.4.4.2, including maintenance windows, Orchestrator-driven rollouts, and management-plane hardening.
- Procure the right way — we support compliant acquisition through TAA-compliant product, GSA, and SEWP vehicles for public-sector buyers.
If you run EdgeConnect SD-WAN and want a fast read on your exposure to CVE-2025-37123 and the related advisory, reach out and we'll help you scope the remediation.
Sources
- HPE Security Advisory hpesbnw04943 — HPE Aruba Networking EdgeConnect SD-WAN Gateways Multiple Vulnerabilities
- NVD — CVE-2025-37123 Detail
- securityonline.info — Multiple High-Severity Vulnerabilities Found in HPE Aruba Networking EdgeConnect SD-WAN Gateways
- Ameeba — CVE-2025-37123: High Severity Privilege Escalation Vulnerability in HPE Aruba Networking EdgeConnect SD-WAN Gateways