HPE Aruba Instant On Access Points Contained Hardcoded Credentials

Hewlett-Packard Enterprise (HPE) has warned that hardcoded credentials have been discovered in Aruba Instant On access points. These credentials allow bypassing standard device authentication to gain access to the web interface.

Aruba Instant On access points are compact wireless devices primarily designed for small and medium-sized businesses, offering various enterprise-level features (guest networks, traffic segmentation) with management via cloud or mobile applications.

The vulnerability, identified as CVE-2025-37103 and classified as critical (with a CVSS score of 9.8), affects Instant On access points running firmware version 3.2.0.1 and below. It is specifically noted that CVE-2025-37103 does not affect Instant On switches.

“Hardcoded credentials were discovered in HPE Networking Instant On access points, allowing anyone who knows about this to bypass the device’s standard authentication,” explains HPE in their security bulletin. “Successful exploitation allows a remote attacker to gain administrative access to the system.”

Gaining access to the web interface as an administrator, attackers can change the access point settings, reconfigure the security system, implant backdoors, and also set up covert surveillance, intercept traffic, or attempt lateral movement.

Owners of vulnerable devices are advised to update the firmware to version 3.2.1.0 or newer as soon as possible, where the vulnerability has already been addressed. HPE specialists do not report any existing workarounds for this issue, so it is recommended to install the updates.

In the same security bulletin, HPE also reported another vulnerability — CVE-2025-37102. This issue is associated with authenticated command injection in the command-line interface (CLI) and also affects Aruba Instant On access points.

The vulnerability can be combined with CVE-2025-37103, as administrative rights are required for its exploitation. This will allow attackers to inject arbitrary commands into the CLI and use them to extract data, disable protections, and establish persistence in the system.

This vulnerability was also fixed in the updated firmware version 3.2.1.0, and no alternative solutions are provided for its remediation.

20.03.2025 — 8,000 vulnerabilities identified in WordPress ecosystem in 2024

08.02.2025 — Hackers exploit RCE vulnerability in Microsoft Outlook

29.01.2025 — Google to disable Sync in older Chrome versions

26.01.2025 — Cisco patched a critical vulnerability in Meeting Management

28.02.2025 — Qualcomm extends support for Android devices to 8 years

25.04.2025 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

18.03.2025 — Black Basta ransomware group developed its own automated brute-forcing framework

20.02.2025 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks

07.03.2025 — YouTube warns of scam video featuring its CEO

14.02.2025 — 12,000 Kerio Control firewalls remain vulnerable to RCE

13.01.2022 — Step by Step. Automating multistep attacks in Burp Suite

08.06.2023 — Croc-in-the-middle. Using crocodile clips do dump traffic from twisted pair cable

01.06.2022 — Log4HELL! Everything you must know about Log4Shell

09.02.2022 — First contact: An introduction to credit card security

01.06.2022 — Cybercrime story. Analyzing Plaso timelines with Timesketch

13.01.2022 — Bug in Laravel. Disassembling an exploit that allows RCE in a popular PHP framework

03.06.2022 — Challenge the Keemaker! How to bypass antiviruses and inject shellcode into KeePass memory

01.01.2022 — It's a trap! How to create honeypots for stupid bots

19.04.2023 — Kung fu enumeration. Data collection in attacked systems

01.06.2022 — Routing nightmare. How to pentest OSPF and EIGRP dynamic routing protocols

20.03.2025 —
8,000 vulnerabilities identified in WordPress ecosystem in 2024

08.02.2025 —
Hackers exploit RCE vulnerability in Microsoft Outlook

29.01.2025 —
Google to disable Sync in older Chrome versions

26.01.2025 —
Cisco patched a critical vulnerability in Meeting Management

28.02.2025 —
Qualcomm extends support for Android devices to 8 years

25.04.2025 —
Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers

18.03.2025 —
Black Basta ransomware group developed its own automated brute-forcing framework

20.02.2025 —
Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks

07.03.2025 —
YouTube warns of scam video featuring its CEO

14.02.2025 —
12,000 Kerio Control firewalls remain vulnerable to RCE

13.01.2022 —
Step by Step. Automating multistep attacks in Burp Suite

08.06.2023 —
Croc-in-the-middle. Using crocodile clips do dump traffic from twisted pair cable

01.06.2022 —
Log4HELL! Everything you must know about Log4Shell

09.02.2022 —
First contact: An introduction to credit card security

01.06.2022 —
Cybercrime story. Analyzing Plaso timelines with Timesketch

13.01.2022 —
Bug in Laravel. Disassembling an exploit that allows RCE in a popular PHP framework

03.06.2022 —
Challenge the Keemaker! How to bypass antiviruses and inject shellcode into KeePass memory

01.01.2022 —
It's a trap! How to create honeypots for stupid bots

19.04.2023 —
Kung fu enumeration. Data collection in attacked systems

01.06.2022 —
Routing nightmare. How to pentest OSPF and EIGRP dynamic routing protocols