Skip to content
Uniqcli

"Aruba EdgeConnect SD-WAN CVE-2025-37124 (CVSS 8.6): Unauthenticated Firewall Bypass"

NewsUniqcli TeamJune 15, 20266 min read
"Aruba EdgeConnect SD-WAN CVE-2025-37124 (CVSS 8.6): Unauthenticated Firewall Bypass"

HPE Aruba Networking has published a security advisory covering multiple vulnerabilities in its EdgeConnect SD-WAN gateways. The most consequential of the unauthenticated issues is CVE-2025-37124, a firewall-bypass flaw rated CVSS 8.6 (High). This post explains what the vulnerability does, which versions are affected, how serious it is, and the exact steps to remediate.

What happened

HPE Aruba Networking disclosed a set of vulnerabilities in EdgeConnect SD-WAN gateways through advisory hpesbnw04943en_us. Reporting on the advisory describes a total of nine distinct software vulnerabilities, ranging from authenticated remote code execution to unauthenticated firewall bypass.

CVE-2025-37124 is the headline unauthenticated flaw. Per the published description, "a vulnerability in the HPE Aruba Networking SD-WAN Gateways could allow an unauthenticated remote attacker to bypass firewall protections." Successful exploitation could let an attacker route potentially harmful traffic through the internal network, leading to unauthorized access or disruption of services. Because it requires no credentials and is network-reachable, it is the one most worth prioritizing if your gateways have any exposed management or data-plane interfaces.

CVE-2025-37124 is closely related to CVE-2025-37125, a second firewall-bypass issue in the EdgeConnect OS (ECOS) that secondary reporting lists at CVSS 7.5. Both stem from improper firewall enforcement and are fixed by the same updates.

Affected products and versions

The advisory affects HPE Aruba Networking EdgeConnect SD-WAN gateways (the EdgeConnect OS / ECOS platform). HPE provides two remediation trains — a 9.5.x line and a 9.4.x line — and states that 9.5.4.1 and above as well as 9.4.4.2 and above fix all the vulnerabilities in the advisory.

The sources reviewed for this post did not publish an explicit lower bound for the affected range, so treat all EdgeConnect SD-WAN releases below the fixed builds as potentially affected, and confirm your specific train against HPE's advisory before upgrading.

Product Affected Fixed
HPE Aruba EdgeConnect SD-WAN (ECOS), 9.5.x line Releases prior to 9.5.4.1 9.5.4.1 and above
HPE Aruba EdgeConnect SD-WAN (ECOS), 9.4.x line Releases prior to 9.4.4.2 9.4.4.2 and above

How serious is it

CVE-2025-37124 carries a CVSS 3.1 base score of 8.6 (High) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H. Decoding that vector: the attack is launched over the network (AV:N) with low complexity (AC:L), needs no privileges (PR:N) and no user interaction (UI:N). The impact is rated low to confidentiality and integrity but high to availability — consistent with an attacker who can push unwanted traffic through the gateway and disrupt service.

CVE-2025-37124 was published to the National Vulnerability Database on September 16, 2025. As of this writing:

  • It is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
  • Vulnerability trackers mark it "Known Exploited: No," and HPE stated it was not aware of any attacks exploiting these issues at the time of disclosure.

That status can change quickly once a fix exists and the flaw is publicly documented, so the absence of active exploitation is a reason to patch promptly, not a reason to defer.

The broader advisory also includes higher-impact authenticated issues — secondary reporting cites CVE-2025-37123 at CVSS 8.8 (authenticated command injection with root execution) — but those require valid credentials, whereas CVE-2025-37124 does not. Treat the unauthenticated firewall bypass as your primary driver and clean up the rest in the same maintenance window.

Am I exposed?

You should treat your environment as potentially affected if all of the following are true:

  • You operate HPE Aruba Networking EdgeConnect SD-WAN gateways (ECOS).
  • They are running a release below 9.5.4.1 (on the 9.5 train) or below 9.4.4.2 (on the 9.4 train).
  • The gateways are reachable from an untrusted network — directly internet-facing, or sitting where an attacker who lands on an adjacent segment could reach the gateway's interfaces.

To check your version, review the running software build on each gateway in Orchestrator (or via the gateway CLI/UI) and compare it against the fixed builds above. Inventory every gateway, not just internet edge devices — branch and hub gateways on the same train are equally in scope.

How to fix it

1. Upgrade to a fixed release. This is the definitive remediation. Move affected gateways to:

  • EdgeConnect SD-WAN 9.5.4.1 or later, or
  • EdgeConnect SD-WAN 9.4.4.2 or later

Choose the train that matches your current deployment to minimize change. Both fixed builds resolve all vulnerabilities in the advisory, including CVE-2025-37124 and CVE-2025-37125.

2. Apply interim mitigations until you can patch. Until every gateway is on a fixed build, reduce reachability and add upstream controls:

  • Implement perimeter controls upstream of the gateways — deploy network access control lists (ACLs) on adjacent network devices to limit who can reach gateway interfaces.
  • Restrict management access (CLI/web/API) to a dedicated management VLAN or via layer-3 firewall policies, and apply IP allow-listing for local users and API keys.
  • Use RADIUS or TACACS+ for administrative authentication rather than local accounts where possible.
  • Keep management traffic inside secure SD-WAN tunnels rather than exposing it on untrusted segments.

These mitigations lower the odds of reaching the vulnerable code path but are not a substitute for the patch. Plan the upgrade.

3. Verify and monitor. After upgrading, confirm the running build on each gateway, re-check that management interfaces are not exposed to untrusted networks, and watch gateway and adjacent firewall logs for anomalous or unexpected traffic flows.

How Uniqcli helps

Uniqcli is an authorized reseller of HPE, HPE Aruba Networking, and HPE Juniper Networking, and we work with US federal, SLED, healthcare, and enterprise teams on exactly this kind of remediation.

  • Assess exposure. We can help inventory your EdgeConnect SD-WAN fleet, identify gateways running affected builds, and prioritize remediation by reachability and risk.
  • Source patched or replacement hardware. If your remediation plan involves refreshing gateways or adding capacity to support an upgrade, we can quote and source the right EdgeConnect models and support entitlements.
  • Support the upgrade. We can help plan a low-disruption upgrade path to 9.5.4.1+ or 9.4.4.2+ and coordinate interim mitigations in the meantime.
  • Compliant procurement. We support TAA-compliant, GSA, and SEWP procurement paths so public-sector buyers can acquire patched hardware and support through the appropriate vehicles.

If you operate EdgeConnect SD-WAN and want help confirming exposure or sourcing what you need to remediate, reach out to Uniqcli.

Sources

Build your HPE bill of materials.

Send us the requirement, the project, or an existing quote to beat. We come back with a validated, TAA-compliant HPE configuration and a real price, often below list.

connect [at] getuniqcli.com · Chicago, IL