HPE Aruba Networking EdgeConnect SD-WAN Orchestrator SQL Injection Vulnerability

A SQL injection vulnerability has been identified in the web-based management interface of HPE Aruba Networking EdgeConnect SD-WAN Orchestrator. This vulnerability allows authenticated remote attackers to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or manipulation. The issue affects EdgeConnect SD-WAN Orchestrator versions 9.5.5 and below, 9.4.4 and below, and 9.6.0, as well as all builds of versions 9.2.x and 9.3.x, which are end of life.

Impact

Exploitation of this vulnerability could allow an authenticated remote attacker to perform SQL injection attacks, executing arbitrary SQL commands on the database and potentially leading to unauthorized data access or manipulation.

Remediation

Users are advised to upgrade to EdgeConnect SD-WAN Orchestrator version 9.6.1 and above or version 9.5.6 and above. For more information, visit the HPE Aruba Networking Support Portal.