Aruba has fixed a number of critical vulnerabilities affecting multiple versions of its EdgeConnect Enterprise Orchestrator software.
Affected products include the on-premises, as-a-service, service provider, and global enterprise tenant versions of the software, in version 9.1.2.40051 and below; 9.0.7.40108 and below; and 8.10.23.40009 and below, as well as older branches not listed here.
The software’s web-based management interface has an authentication bypass. Discovered by Daniel Jensen and reported to the company’s bug bounty program, there are two critical-rated CVEs, both of which are yet to be detailed: CVE-2022-37913 and CVE-2022-37914.
Successful exploitation “could allow an attacker to gain administrative privileges leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host”, the company said.
Jensen also found a fault that allowed an unauthenticated attacker to “run arbitrary commands” against the web-based management interface’s underlying host, CVE-2022-37915 (also yet to be explained in more detail).
Also rated critical, this vulnerability affects Aruba EdgeConnect Enterprise Orchestrator (on-premises), 9.1.x branch only; and “any 9.1.x Orchestrator instantiated as a new machine with a release prior to 9.1.3.40197.
Patched versions are available for software customers run for themselves; people using the orchestrator software-as-a-service will be upgraded; while service providers are advised they must upgrade all tenants.
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Tech in Gov 2025
Forrester's Technology & Innovation Summit APAC 2025
Integrate Expo 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
