Hewlett-Packard Enterprise (HPE) has issued a warning about a critical security vulnerability in Aruba Instant On Access Points, allowing attackers to bypass authentication and gain administrative access.
The vulnerability, CVE-2025-37103, has a CVSS v3.1 score of 9.8 and affects firmware version 3.2.0.1 and earlier. The flaw involves hardcoded login credentials in the access points, which could be exploited by anyone to gain full administrative control. According to HPE, the presence of such credentials allows “anyone with knowledge of it to bypass normal device authentication.”
Successful exploitation could grant an attacker the power to alter settings, install malware, or capture network traffic. It was reported to HPE by a security researcher from the Ubisectech Sirius Team known as ZZ. HPE advises upgrading to version 3.1.1.0 or later for the AP-510EX access points, and to firmware version 3.2.1.0 or newer for other affected devices to address the risk, since no workarounds exist.
Additionally, HPE highlighted another high-severity vulnerability, CVE-2025-37102, an issue with the Command Line Interface (CLI) of Aruba Instant On access points. This flaw could allow threat actors to inject arbitrary commands, resulting in potential data exfiltration or security breaches. This issue requires being chained with CVE-2025-37103 for full impact.
There are no known reports of these vulnerabilities being exploited. HPE Aruba Networking emphasizes applying the security updates as soon as possible to mitigate potential threats.
