cbcvebase.
CVE-2025-37103
published 2025-07-08

CVE-2025-37103: Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device…

PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.00%
58.5th percentile
Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication. Successful exploitation could allow a remote attacker to gain administrative access to the system.

Affected

1 ranges
VendorProductVersion rangeFixed in
hewlett_packard_enterprisehpe_networking_instant_on3.2.0.0 – 3.2.0.1

Detection & IOCsextracted from sources · hover to see the quote

  • Target devices: HPE Networking Aruba Instant On Access Points running firmware version 3.2.0.1 and below are vulnerable to hardcoded credential authentication bypass via the web interface
  • Attack vector is remote access to the device web management interface using hardcoded administrative credentials embedded in the firmware; monitor for unexpected admin logins to Aruba Instant On web interfaces
  • CVE-2025-37103 can be chained with CVE-2025-37102 (authenticated CLI command injection) — monitor for CLI command injection activity following web interface admin login on affected devices
  • Scope clarification: CVE-2025-37103 does NOT affect Instant On Switches — focus detection efforts exclusively on Instant On Access Points
  • ·Hardcoded credentials are embedded in the firmware itself; the credentials are not publicly disclosed in available sources but are described as trivially discoverable through firmware analysis
  • ·No workarounds are available from HPE; the only remediation is upgrading to firmware version 3.2.1.0 or newer
  • ·As of publication, HPE Aruba Networking has confirmed no known in-the-wild exploitation, but the critical CVSS score (9.8) and ease of exploitation make rapid weaponization likely
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.