Hewlett-Packard Enterprise (HPE) is warning of hardcoded credentials at Aruba Instant on access points that allow the attackers to bypass the general device authentication and reach the web interfaces.
Access points have Aruba Instant Compact, Plug-Plug Wireless (Wi-Fi) devices, mainly designed for small-to-medium-sized businesses, which offer enterprise-grade features (guest network, traffic segmentation) with cloud/mobile app management.
The safety issue tracked as CVE-2025-37103 and “Critical” (CVSS V3.1 Score: 9.8) was evaluated, which immediately affects the firmware version of 3.2.0.1 and below the access points.
“Hardcoded login credentials were found in HPE networking institutes on access points, allowing anyone to bypass normal device authentication,” HPE explained in bulletin,
“Successful exploitation may allow a remote attacker to achieve administrative access to the system.”
Since the firmware has administrative credentials hardcode, despised to the knowledgeable actors to find them.
By reaching the web interface as an administrator, attackers can change the settings of the access points, configure security, install backdoor, keep the traffic and monitor secretly, or even attempts the lateral movement.
The vulnerability was discovered using a Ubisectech Sirius team security researcher using aka Zz, who reported it directly to the seller.
Users of weak equipment are recommended to upgrade firmware version 3.2.1.0 or new to address the risk. HPE has not given any workaround, so patching is a recommended course of action.
It is clarified in the bulletin that CVE-2025-37103 does not affect immediately on the switch.
On the same bulletin, HPE highlights a second vulnerability, cve-2025–37102. It is a high-seriousness certified command injection flour at the command line interface (CLI) of the Aruba Instant on Access Points.
This defect can be chained with CVE-2025–37103, as its exploitation requires administrator access, which allows danger actors to inject arbitrary command in CLI to disable data exfoliation, security, disable and establish firmness.
In this case, also, the problem is solved by upgrading the firmware version 3.2.1.0 or later, and no workaround is available.
At this time, HPE Aruba Networking is not aware of any report of exploitation of two flaws. However, it can change quickly, so it is important to implement the security updates immediately.
Include emerging hazards in real time – before they affect your business.
Learn how cloud detection and response (CDR) gives security teams the required edge in this practical, no-nonsense guide.
