Hewlett-Packard Enterprise (HPE) has warned that hardcoded credentials have been discovered in Aruba Instant On access points. These credentials allow bypassing standard device authentication to gain access to the web interface.
Aruba Instant On access points are compact wireless devices primarily designed for small and medium-sized businesses, offering various enterprise-level features (guest networks, traffic segmentation) with management via cloud or mobile applications.
The vulnerability, identified as CVE-2025-37103 and classified as critical (with a CVSS score of 9.8), affects Instant On access points running firmware version 3.2.0.1 and below. It is specifically noted that CVE-2025-37103 does not affect Instant On switches.
“Hardcoded credentials were discovered in HPE Networking Instant On access points, allowing anyone who knows about this to bypass the device’s standard authentication,” explains HPE in their security bulletin. “Successful exploitation allows a remote attacker to gain administrative access to the system.”
Gaining access to the web interface as an administrator, attackers can change the access point settings, reconfigure the security system, implant backdoors, and also set up covert surveillance, intercept traffic, or attempt lateral movement.
Owners of vulnerable devices are advised to update the firmware to version 3.2.1.0 or newer as soon as possible, where the vulnerability has already been addressed. HPE specialists do not report any existing workarounds for this issue, so it is recommended to install the updates.
In the same security bulletin, HPE also reported another vulnerability — CVE-2025-37102. This issue is associated with authenticated command injection in the command-line interface (CLI) and also affects Aruba Instant On access points.
The vulnerability can be combined with CVE-2025-37103, as administrative rights are required for its exploitation. This will allow attackers to inject arbitrary commands into the CLI and use them to extract data, disable protections, and establish persistence in the system.
This vulnerability was also fixed in the updated firmware version 3.2.1.0, and no alternative solutions are provided for its remediation.
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.02.06 — Let's Encrypt to stop sending expiration notification emails
The nonprofit organization announced that, starting June 4, 2025, it will stop sending expiration notification emails to subscribers. The primary reason behind this decision…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.02.17 — Dutch police seize 127 servers belonging to Zservers hosting provider
Following the introduction of international sanctions against Zservers, Russian 'bulletproof' hosting services provider, the Dutch National Police (Politie) shut down and seized 127 servers belonging to Zservers/XHost.…
Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud
Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…
Full article →
2025.01.29 — Google to disable Sync in older Chrome versions
Google announced that in early 2025, Chrome Sync will be disabled in Chrome versions older than four years. Chrome Sync enables users to save and sync their…
Full article →
2025.02.23 — New JavaScript obfuscation technique uses invisible Unicode characters
According to Juniper Threat Labs , a new JavaScript obfuscation technique that uses invisible Unicode characters was used in a phishing attack targeting Political Action…
Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members
The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…
Full article →
2025.04.12 — Hackers compromised a bureau within the U.S. Department of the Treasury and spent months in hacked systems
The Office of the Comptroller of the Currency (OCC), an independent bureau within the United States Department of the Treasury, reported a major cybersecurity incident. Unknown attackers had…
Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE
Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…
Full article →