Hewlett-Packard Enterprise (HPE) is warning of hardcoded credentials in Aruba Instant On Access Points that allow attackers to bypass normal device authentication and access the web interface. “Hardcoded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication,” explained HPE in the bulletin. The security issue, tracked as CVE-2025-37103 and rated “critical” (CVSS v3.1 score: 9.8), impacts Instant On Access Points running firmware version 3.2.0.1 and below. Aruba Instant On Access Points are compact, plug-and-play wireless (Wi-Fi) devices, designed primarily for small to medium-sized businesses, offering enterprise-grade features (guest networks, traffic segmentation) with cloud/mobile app management. This flaw can be chained with CVE-2025-37103, as admin access is required for its exploitation, allowing threat actors to inject arbitrary commands into the CLI for data exfiltration, security disabling, and establishing persistence. By accessing the web interface as administrators, attackers may change the access point’s settings, reconfigure security, install backdoors, perform stealthy surveillance by capturing traffic, or even attempt lateral movement. This is a high-severity authenticated command injection flaw in the Command Line Interface (CLI) of Aruba Instant On access points. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 20 Jul 2025 15:40:16 +0000