HPE Aruba Networking has released an urgent security bulletin (HPESBNW04894 rev.1) addressing multiple critical vulnerabilities in their Instant On Access Points that could allow unauthorized remote access and code execution.
The vulnerabilities, identified as CVE-2025-37103 and CVE-2025-37102, affect devices running software version 3.2.0.1 and below, prompting immediate patching recommendations from the company.
Hardcoded Credentials Enable Complete System Compromise
The most severe vulnerability, CVE-2025-37103, represents a critical security flaw with a CVSS v3.1 base score of 9.8.
This vulnerability stems from hardcoded login credentials embedded within the HPE Networking Instant On Access Points’ web interface, allowing attackers with knowledge of these credentials to completely bypass normal device authentication mechanisms.
The CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H indicates that exploitation requires no privileges, no user interaction, and can be conducted remotely with low attack complexity.
Security researchers warn that successful exploitation grants attackers full administrative access to affected systems, potentially compromising network infrastructure and sensitive data.
The vulnerability was discovered and reported by ZZ from Ubisectech Sirius Team through HPE Aruba Networking’s Bug Bounty program, with internal reference codes ATLWL-566 and ATLWL-562.
Currently, no workarounds exist for this vulnerability, making immediate patching critical for affected organizations.
Command Injection Flaw Threatens System Integrity
The second vulnerability, CVE-2025-37102, presents a high-severity authenticated command injection flaw with a CVSS v3.1 base score of 7.2.
This vulnerability exists within the command line interface of HPE Networking Instant On Access Points and requires elevated privileges for exploitation.
The attack vector CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H demonstrates that while high privileges are required, successful exploitation allows remote attackers to execute arbitrary commands on the underlying operating system as a highly privileged user.
This command injection vulnerability, referenced internally as ATLWL-561, was also discovered by the same Ubisectech Sirius Team researcher.
The flaw could enable attackers who have already gained administrative access to execute system-level commands, potentially leading to complete system compromise, data exfiltration, or lateral movement within network environments.
Automatic Updates Deployed
HPE Aruba Networking has released software version 3.2.1.0 to address both vulnerabilities.
The company initiated automatic updates during the week of June 30, 2025, requiring no customer action for most deployments.
However, administrators can manually trigger updates through the Instant On app or web portal for immediate protection.
Importantly, these vulnerabilities exclusively affect HPE Networking Instant On Access Points, with Instant On Switches remaining unaffected.
HPE reports no known public discussion or exploit code targeting these specific vulnerabilities as of the advisory’s release date.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=The vulnerabilities, identified as CVE-2025-37103 and CVE-2025-37102, affect devices running software version 3.2.0.1 and below){kind=link}