HP OfficeConnect Network Switches - Authentication Bypass (CVE-2022-37932)

CVE-2022-37932 is a high-severity vulnerability in HPE OfficeConnect 1820, 1850, and 1920S network switches that allows remote attackers to bypass authentication. Exploiting this flaw could enable unauthorized access to network management interfaces, potentially leading to full compromise of the affected switches and exposure of sensitive network configurations.

CrowdSec has been tracking this vulnerability and its exploits since 24th of September 2025.

Based on data from the CrowdSec network, nearly all observed exploitation of CVE-2022-37932 is fully opportunistic, with attackers indiscriminately scanning the entire internet. These attacks are automated and lack any form of target selection or reconnaissance. Data from the CrowdSec community also indicates a gradual decrease in attacks targeting CVE-2022-37932. While still present in the wild, exploitation levels have dropped noticeably week-over-week. This may signal that the vulnerability is becoming less relevant or that defenses are improving fast enough for attackers to lose interest.

Attackers exploit authentication bypass by sending crafted POST requests to /login/default_password_cfg.lua or /htdocs/login/default_password_cfg.lua, allowing them to reset the admin password without providing the old password. These endpoints are commonly targeted on HP OfficeConnect switch management interfaces.