HPE Aruba Instant On Access Points Contained Hardcoded Credentials
Hewlett Packard Enterprise (HPE) has issued a critical security advisory after discovering hardcoded credentials in its Aruba Instant On access points. The flaw allows remote attackers to bypass standard authentication and gain full administrative access to the device’s web interface.
Aruba Instant On access points are compact wireless networking devices designed for small and medium-sized businesses. They offer enterprise-grade features—such as guest networking, traffic segmentation, and centralized cloud or mobile management—at a more accessible price point.
The vulnerability, tracked as CVE-2025-37103 and rated 9.8 (Critical) on the CVSS scale, affects devices running firmware version 3.2.0.1 or earlier. Importantly, this issue does not impact Aruba Instant On switches.
“Hardcoded credentials were found in HPE Networking Instant On access points, allowing anyone aware of them to bypass the device’s standard authentication,” HPE wrote in its advisory. “Successful exploitation enables a remote attacker to gain administrative access to the system.”
With administrative access to the web interface, an attacker could manipulate network settings, implant persistent backdoors, intercept sensitive traffic, or attempt lateral movement within the broader network.
HPE urges all users to update affected devices to firmware version 3.2.1.0 or later, which contains a fix for the vulnerability. No workarounds have been provided, making patching the only viable mitigation strategy.
Related Vulnerability: CVE-2025-37102
In the same advisory, HPE disclosed a second flaw—CVE-2025-37102—affecting the command-line interface (CLI) of Aruba Instant On access points. This vulnerability enables authenticated command injection, allowing attackers with admin-level access to execute arbitrary CLI commands.
Although less severe on its own, this flaw becomes highly dangerous when chained with CVE-2025-37103. An attacker who leverages the hardcoded credentials can escalate the attack by injecting malicious commands to exfiltrate data, disable security controls, or maintain long-term access to the system.
This issue has also been resolved in firmware version 3.2.1.0. No temporary mitigations are available.
Summary
- CVE-2025-37103: Critical (CVSS 9.8) – Hardcoded credentials allowing remote admin access.
- CVE-2025-37102: Command injection vulnerability in the CLI (requires admin privileges).
- Solution: Update immediately to firmware version 3.2.1.0 or later.
Administrators managing Aruba Instant On deployments should prioritize these updates to prevent potential exploitation and protect internal network assets.
