HPE Aruba Instant On Access Points Contained Hardcoded Credentials

📟 News

Date: 22/07/2025

Hewlett-Packard Enterprise (HPE) has warned that hardcoded credentials have been discovered in Aruba Instant On access points. These credentials allow bypassing standard device authentication to gain access to the web interface.

Aruba Instant On access points are compact wireless devices primarily designed for small and medium-sized businesses, offering various enterprise-level features (guest networks, traffic segmentation) with management via cloud or mobile applications.

The vulnerability, identified as CVE-2025-37103 and classified as critical (with a CVSS score of 9.8), affects Instant On access points running firmware version 3.2.0.1 and below. It is specifically noted that CVE-2025-37103 does not affect Instant On switches.

“Hardcoded credentials were discovered in HPE Networking Instant On access points, allowing anyone who knows about this to bypass the device’s standard authentication,” explains HPE in their security bulletin. “Successful exploitation allows a remote attacker to gain administrative access to the system.”

Gaining access to the web interface as an administrator, attackers can change the access point settings, reconfigure the security system, implant backdoors, and also set up covert surveillance, intercept traffic, or attempt lateral movement.

Owners of vulnerable devices are advised to update the firmware to version 3.2.1.0 or newer as soon as possible, where the vulnerability has already been addressed. HPE specialists do not report any existing workarounds for this issue, so it is recommended to install the updates.

In the same security bulletin, HPE also reported another vulnerability — CVE-2025-37102. This issue is associated with authenticated command injection in the command-line interface (CLI) and also affects Aruba Instant On access points.

The vulnerability can be combined with CVE-2025-37103, as administrative rights are required for its exploitation. This will allow attackers to inject arbitrary commands into the CLI and use them to extract data, disable protections, and establish persistence in the system.

This vulnerability was also fixed in the updated firmware version 3.2.1.0, and no alternative solutions are provided for its remediation.

Related posts:
2025.02.09 — Abandoned AWS S3 buckets could be used in attacks targeting supply chains

watchTowr discovered plenty of abandoned Amazon S3 buckets that could be used by attackers to deliver malware and backdoors to government agencies and large corporations. The researchers discovered…

Full article →
2025.02.14 — 12,000 Kerio Control firewalls remain vulnerable to RCE

Security experts report that more than 12,000 GFI Kerio Control firewall instances remain vulnerable to the critical RCE vulnerability CVE-2024-52875, which was fixed…

Full article →
2025.04.29 — FBI Offers 10 million USD for information on Salt Typhoon members

The FBI offers up to 10 million USD for information about members of the Chinese hacker group Salt Typhoon and last year's attack that had…

Full article →
2025.03.20 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024

According to Patchstack, world's #1 WordPress vulnerability intelligence provider, 7,966 new vulnerabilities were identified in the WordPress ecosystem in 2024; most of these bugs affected plugins…

Full article →
2025.03.10 — Nearly a million Windows computers impacted by a malvertising campaign

According to Microsoft, nearly 1 million Windows devices fell victim to a sophisticated malvertising campaign in recent months. Cybercriminals were able to steal credentials, cryptocurrency, and sensitive…

Full article →
2025.03.24 — Alexa to stop processing data locally. All voice requests will be sent to Amazon Cloud

Amazon announced that the privacy option allowing users of Echo speakers to avoid sending their voice recordings to the company's cloud will no longer be supported. Effective March…

Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress

According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…

Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices

The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…

Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals

Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…

Full article →
2025.04.08 — Website of Everest ransomware group hacked and defaced

Last weekend, the darknet website of the Everest ransomware group was hacked and went offline. The attackers replaced its content with a sarcastic message: "Don't do crime…

Full article →