264/68 Tuesday, July 22, 2025
Hewlett-Packard Enterprise (HPE) has issued a security advisory regarding critical vulnerabilities in Aruba Instant On Access Points, Wi-Fi devices designed for small to medium-sized businesses. A hardcoded password was discovered in the firmware of affected devices, allowing unauthorized attackers to bypass authentication and access the Web Interface without admin privileges. This vulnerability, tracked as CVE-2025-37103, carries a Critical CVSS score of 9.8 and affects firmware versions 3.2.0.1 and earlier. HPE confirmed that Instant On Switches are not impacted.
Unauthorized admin-level access could enable attackers to alter security settings, install backdoors, intercept network traffic, or pivot attacks to other systems within the organization. The flaw was identified by a researcher from the Ubisectech Sirius Team under the alias “ZZ” and reported directly to HPE. Users are strongly advised to upgrade to firmware version 3.2.1.0 or later as there is currently no workaround available. In the same advisory, HPE also disclosed another high-severity vulnerability, CVE-2025-37102-a Command Injection flaw in the Command Line Interface (CLI). This vulnerability requires admin privileges and could be exploited alongside CVE-2025-37103 to execute arbitrary code, extract sensitive data, disable security mechanisms, or establish persistent remote control.
Although there have been no known attacks exploiting these vulnerabilities yet, HPE urges all users to update their firmware immediately to mitigate potential threats.
