HP OfficeConnect Network Switches - Authentication Bypass (CVE-2022-37932)

CVE-2022-37932 is a high-severity vulnerability in HPE OfficeConnect 1820, 1850, and 1920S network switches that allows remote attackers to bypass authentication. Exploiting this flaw could enable unauthorized access to network management interfaces, potentially leading to full compromise of the affected switches and exposure of sensitive network configurations.

CrowdSec has been tracking this vulnerability and its exploits since 24th of September 2025.

Data from the CrowdSec community indicates that exploitation of CVE-2022-37932 is highly selective and intelligence-driven. Threat actors use advanced reconnaissance and carefully choose their targets, often as part of sophisticated campaigns or advanced persistent threat operations. Additionally, according to week-over-week analysis by CrowdSec, exploitation of CVE-2022-37932 is surging. Attack volumes are spiking well above historical norms, indicating widespread and escalating interest from threat actors. CVE-2022-37932 is currently experiencing high visibility and active exploitation across the internet.

Attackers exploit authentication bypass by sending crafted POST requests to /login/default_password_cfg.lua or /htdocs/login/default_password_cfg.lua, allowing them to reset the admin password without providing the old password. These endpoints are commonly targeted on HP OfficeConnect switch management interfaces.