Hewlett-Packard Enterprise (HPE) has warned that hardcoded credentials have been discovered in Aruba Instant On access points. These credentials allow bypassing standard device authentication to gain access to the web interface.
Aruba Instant On access points are compact wireless devices primarily designed for small and medium-sized businesses, offering various enterprise-level features (guest networks, traffic segmentation) with management via cloud or mobile applications.
The vulnerability, identified as CVE-2025-37103 and classified as critical (with a CVSS score of 9.8), affects Instant On access points running firmware version 3.2.0.1 and below. It is specifically noted that CVE-2025-37103 does not affect Instant On switches.
“Hardcoded credentials were discovered in HPE Networking Instant On access points, allowing anyone who knows about this to bypass the device’s standard authentication,” explains HPE in their security bulletin. “Successful exploitation allows a remote attacker to gain administrative access to the system.”
Gaining access to the web interface as an administrator, attackers can change the access point settings, reconfigure the security system, implant backdoors, and also set up covert surveillance, intercept traffic, or attempt lateral movement.
Owners of vulnerable devices are advised to update the firmware to version 3.2.1.0 or newer as soon as possible, where the vulnerability has already been addressed. HPE specialists do not report any existing workarounds for this issue, so it is recommended to install the updates.
In the same security bulletin, HPE also reported another vulnerability — CVE-2025-37102. This issue is associated with authenticated command injection in the command-line interface (CLI) and also affects Aruba Instant On access points.
The vulnerability can be combined with CVE-2025-37103, as administrative rights are required for its exploitation. This will allow attackers to inject arbitrary commands into the CLI and use them to extract data, disable protections, and establish persistence in the system.
This vulnerability was also fixed in the updated firmware version 3.2.1.0, and no alternative solutions are provided for its remediation.
2025.01.27 — YouTube plays hour-long ads to users with ad blockers
Users complain that YouTube plays very long unskippable ads. Sometimes such ads are longer than the video the person is watching. The issue was raised…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.02.25 — More than 100,000 users downloaded SpyLend malware from Google Play Store
According to Cyfirma, a malicious Android app called SpyLend was available on the official Google Play Store for some time and has been downloaded from there…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.04.16 — Android devices will restart every three days to protect user data
Google introduces a new security feature for Android devices: locked and unused devices will be automatically restarted after three days of inactivity to return their memory to an…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →
2025.04.07 — Critical RCE vulnerability discovered in Apache Parquet
All versions of Apache Parquet up to and including 1.15.0 are affected by a critical remote code execution (RCE) vulnerability whose CVSS score is 10 out…
Full article →
2025.02.18 — Chrome Enhanced Protection mode is now powered by AI
The Enhanced Protection mode in Google Chrome has been updated. Now it uses AI to protect users from dangerous sites, downloads, and extensions in real time.…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →