Aruba has fixed a number of critical vulnerabilities affecting multiple versions of its EdgeConnect Enterprise Orchestrator software.
Affected products include the on-premises, as-a-service, service provider, and global enterprise tenant versions of the software, in version 9.1.2.40051 and below; 9.0.7.40108 and below; and 8.10.23.40009 and below, as well as older branches not listed here.
The software’s web-based management interface has an authentication bypass. Discovered by Daniel Jensen and reported to the company’s bug bounty program, there are two critical-rated CVEs, both of which are yet to be detailed: CVE-2022-37913 and CVE-2022-37914.
Successful exploitation “could allow an attacker to gain administrative privileges leading to complete compromise of the Aruba EdgeConnect Enterprise Orchestrator host”, the company said.
Jensen also found a fault that allowed an unauthenticated attacker to “run arbitrary commands” against the web-based management interface’s underlying host, CVE-2022-37915 (also yet to be explained in more detail).
Also rated critical, this vulnerability affects Aruba EdgeConnect Enterprise Orchestrator (on-premises), 9.1.x branch only; and “any 9.1.x Orchestrator instantiated as a new machine with a release prior to 9.1.3.40197.
Patched versions are available for software customers run for themselves; people using the orchestrator software-as-a-service will be upgraded; while service providers are advised they must upgrade all tenants.
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
.png&w=100&c=1&s=0)
iTnews Benchmark Security Awards 2025
Digital Leadership Day Federal
Government Cyber Security Showcase Federal
Government Innovation Showcase Federal
Digital NSW 2025 Showcase
_(1).jpg&h=140&w=231&c=1&s=0)
