HPE Aruba Networking EdgeConnect SD-WAN Orchestrator Multi-Factor Authentication Bypass Vulnerability

A vulnerability in the HPE Aruba Networking EdgeConnect SD-WAN Orchestrator allows an unauthenticated remote attacker to bypass multi-factor authentication requirements. This exploitation could enable the attacker to create an admin user account without the necessary authentication, compromising the integrity of secured access to the system. The vulnerability affects EdgeConnect SD-WAN Orchestrator versions 9.6.0, 9.5.5 and below, and 9.4.4 and below. All builds of versions 9.3.x and 9.2.x and older are also affected.

Impact

Bypassing multi-factor authentication could lead to unauthorized admin account creation, allowing for compromised access integrity on the system.

Remediation

Users are advised to upgrade to EdgeConnect SD-WAN Orchestrator version 9.6.1 and above or 9.5.6 and above. For versions 9.3.6 and above and 9.4.3 and above, this vulnerability has already been addressed.