Critical Remote Code Execution & Authentication Bypass Vulnerabilities in Aruba EdgeConnect Enterprise Orchestrator

Share :

On Tuesday, October 11th, 2022, Aruba disclosed three critical vulnerabilities impacting EdgeConnect Enterprise Orchestrator. The vulnerabilities, CVE-2022-37913, CVE-2022-37914, CVE-2022-37915, are remote code execution and authentication bypass vulnerabilities that could enable remote threat actors to compromise a host. In order for a threat actor to exploit these vulnerabilities, WAN access would need to be available for the CLI and/or web-based management interfaces.

CVE-2022-37913 and CVE-2022-37914 (CVSS v3.1 9.8)

Authentication bypass vulnerability in the web-based management interface of EdgeConnect Orchestrator, allowing an unauthenticated, remote attacker to bypass authentication.

CVE-2022-37915 (CVSS v3.1 9.8)

Vulnerability in the web-based management interface of EdgeConnect Orchestrator, allowing arbitrary command execution on the underlying host and leading to complete system compromise.

Affected Products:

  • EdgeConnect Enterprise Orchestrator (on-premises)
  • EdgeConnect Enterprise Orchestrator-as-a-Service
  • EdgeConnect Enterprise Orchestrator-SP and EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators
  • Orchestrator and below
  • Orchestrator and below
  • Orchestrator and below

Arctic Wolf has not observed public proof of concept (PoC) exploit code being published for this vulnerability. Aruba claims that they have not detected active exploitation of these vulnerabilities or PoC exploit code being available either. EdgeConnect devices are usually deployed in valuable environments, which would be attractive for threat actors to target and attempt to create exploits for these vulnerabilities in the near future. We strongly recommend applying the relevant security patches to impacted devices to remediate the vulnerability and prevent potential exploitation.


Arctic Wolf strongly recommends applying the security patches provided by Aruba. For organizations who are not able to apply the patch immediately, Aruba has also provided a workaround to limit access to the CLI and web-based management interfaces. For organizations who are running older versions that are no longer supported, Aruba recommends upgrading to a newer product release as soon as possible.

Recommendation #1: Upgrade EdgeConnect to a Fixed Version

Upgrade Aruba EdgeConnect Enterprise Orchestrator to one of the following versions with the fixes to resolve all issues noted in the details section.

  • Aruba EdgeConnect Enterprise Orchestrator (on-premises)
    • Orchestrator and above
    • Orchestrator and above
    • Orchestrator and above
    • Orchestrator and above
  • Aruba EdgeConnect Enterprise Orchestrator-as-a-Service
    • TAC will automatically create a support case for Aruba
      (Silver Peak) hosted Orchestrators to be upgraded.
  • Aruba EdgeConnect Enterprise Orchestrator-SP and Aruba EdgeConnect Enterprise Orchestrator Global Enterprise Tenant Orchestrators
    • Service providers must upgrade all tenants to a patched version listed above

NOTE: Aruba does not evaluate or patch product versions that have reached their End of Support (EoS) milestone.

Recommendation #2: Limit Access to CLI and Web-Based Management Interfaces

To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above.



James Liolios

James Liolios

James Liolios is a Senior Threat Intelligence Researcher at Arctic Wolf, where he keeps a watchful eye on the latest threats and threat actors to understand the potential impact to Arctic Wolf customers. He has a background of 9 years' experience in many areas of cybersecurity, holds a bachelor's degree in Information Security, and is also CISSP certified.
Share :
Table of Contents
Subscribe to our Monthly Newsletter