What is CVE-2025-37103 in HPE Aruba devices?

CVE-2025-37103 is a critical vulnerability with a CVSS score of 9.8 that involves hardcoded credential exposure allowing unauthorized access to the web interface. Since the administrative credentials are embedded in the firmware itself, discovering them is trivial for knowledgeable threat actors with access to the device firmware or reverse engineering capabilities.

What is CVE-2025-37102 in HPE Aruba devices?

CVE-2025-37102 is an authenticated command injection vulnerability in the Command Line Interface with a CVSS score of 7.2. This vulnerability can be chained with the hardcoded credential vulnerability to create a complete attack pathway for compromising the devices.

How can the HPE Aruba vulnerabilities be exploited together?

The two vulnerabilities can be chained together to create a complete attack pathway. Attackers can first exploit the hardcoded credentials (CVE-2025-37103) to gain unauthorized access, then use the authenticated command injection vulnerability (CVE-2025-37102) to execute malicious commands and completely compromise the device.

When did HPE start automatic updates for the Aruba vulnerabilities?

HPE initiated automatic updates during the week of June 30, 2025. These automatic updates require no action from customers for the patches to be deployed to affected Instant On Access Points.

What are the CVSS scores for the HPE Aruba vulnerabilities?

CVE-2025-37103 has a CVSS score of 9.8 (critical severity) for the hardcoded credential exposure, while CVE-2025-37102 has a CVSS score of 7.2 (high severity) for the authenticated command injection vulnerability.

What is the potential impact of the HPE Aruba vulnerabilities?

The vulnerabilities could allow attackers to completely compromise HPE Aruba Networking Instant On Access Points. This could lead to unauthorized network access, data interception, network disruption, and potential lateral movement within enterprise networks.

Why are hardcoded credentials particularly dangerous in the HPE Aruba vulnerability?

Hardcoded credentials are particularly dangerous because they are embedded in the firmware itself, making discovery trivial for knowledgeable threat actors with access to the device firmware or reverse engineering capabilities. This means the credentials cannot be easily changed and are the same across all affected devices.

Do HPE Aruba customers need to take any action for the security patches?

The automatic updates initiated during the week of June 30, 2025, require no action from customers for the patches to be deployed. However, administrators should still check for update status and can manually trigger upgrades if needed through the Instant On mobile application or web portal interface.

Advisory

HPE Aruba networking Instant On Access Points have hardcoded password vulnerability

Q: What are the HPE Aruba Networking Instant On Access Points vulnerabilities?

Hewlett Packard Enterprise (HPE) has reported multiple security vulnerabilities in its Aruba Networking Instant On Access Points that could allow attackers to completely compromise these enterprise Wi-Fi devices. The vulnerabilities include CVE-2025-37103 (CVSS 9.8) for hardcoded credential exposure and CVE-2025-37102 (CVSS 7.2) for authenticated command injection.

Q: Which HPE Aruba devices are affected by these vulnerabilities?

The vulnerabilities impact HPE Aruba Networking Instant On Access Points running software version 3.2.0.1 and below. These are enterprise Wi-Fi devices used in business networks.

Q: How can administrators manually update HPE Aruba devices?

Administrators should check for update status and can manually trigger upgrades through the Instant On mobile application or web portal interface. This provides an alternative to the automatic update process.

published: July 21, 2025

Take action: If you have HPE Aruba Instant On Access Points, be aware that the devices have hardcoded credentials and command injection flaws - both fairly trivial to be exploited. Verify that your devices have been updated to software version 3.2.1.0 or higher. If not, trigger an update process.

Learn More

Hewlett Packard Enterprise (HPE) is reporting multiple security vulnerabilities in its Aruba Networking Instant On Access Points that could allow attackers to completely compromise these enterprise Wi-Fi devices.

Vulnerabilities summary:

CVE-2025-37103 (CVSS score 9.8) - Hardcoded Credential Exposure allowing unauthorized access to web interface. Since the administrative credentials are embedded in the firmware itself, discovering them is trivial for knowledgeable threat actors with access to the device firmware or reverse engineering capabilities.
CVE-2025-37102 (CVSS score 7.2) - Authenticated Command Injection vulnerability in the Command Line Interface. This vulnerability can be chained with the hardcoded credential vulnerability to create a complete attack pathway.

The vulnerabilities impact Instant On Access Points running software version 3.2.0.1 and below,

HPE has patched both vulnerabilities in software version 3.2.1.0 and above. The company initiated automatic updates during the week of June 30, 2025, requiring no action from customers for the patches to be deployed. Administrators should still check for update status and can manually trigger upgrades through the Instant On mobile application or web portal interface.

HPE Aruba networking Instant On Access Points have hardcoded password vulnerability

Read More
Critical vulnerability in OpenVPN Windows driver enables system …
Critical vulnerability in FortiSwitch GUI allows unauthorized admin …
Critical vulnerability in Gladinet CentreStack and Triofox (CVE-2025-30406) …
CISA warns of active exploitation of critical Sudo …
Juniper fixes multiple critical flaws in Juniper Secure …