Hewlett Packard Enterprise (HPE) has disclosed a critical vulnerability affecting its Aruba Instant On Wi-Fi access points, potentially exposing countless business and home networks to unauthorized access. The flaw, tracked as CVE-2025-37103, stems from hardcoded administrative credentials embedded in device firmware versions up to 3.2.0.1. If exploited, the issue allows attackers to bypass authentication and gain full access to the device’s management interface.
Background
Aruba Instant On devices are widely used small business Wi-Fi access points, valued for their ease of deployment and cloud-managed capabilities. However, a recent security audit identified that the firmware of these access points contains unremovable, embedded administrator credentials. Security researchers warn that such credentials function as a backdoor, providing attackers with privileged access without needing a legitimate username or password.
Vulnerability Details
- CVE Identifier: CVE-2025-37103
- CVSS Score: 9.8 (Critical)
- Affected Products: Aruba Instant On Access Points (firmware versions ≤ 3.2.0.1)
- Not Affected: Aruba Instant On Switches
- Root Cause: Presence of hardcoded administrative credentials in firmware
- Access Vector: Network-based (unauthenticated access to management interface)
This flaw enables a remote attacker to access the web-based management interface of affected devices. Once connected, adversaries can modify wireless settings, disable security configurations, intercept network traffic, and potentially pivot further into the internal network.
Chained Exploitation Risk
HPE has also acknowledged a related high-severity vulnerability—CVE-2025-37102—that affects the same devices. This secondary flaw allows for authenticated command injection. If CVE-2025-37103 is first exploited to gain access, an attacker could then leverage CVE-2025-37102 to achieve remote code execution, significantly deepening the compromise.
Impact
The consequences of an exploited device include:
- Full administrative control of Wi-Fi access points
- Exposure of internal Wi-Fi traffic to eavesdropping or manipulation
- Deployment of persistent threats or malware within the local network
- Interruption of wireless service or changes to SSID/security settings
- Lateral movement into sensitive internal IT systems
As the vulnerability can be exploited remotely and without authentication, it poses a high risk to any affected network with exposed management interfaces.
Mitigation and Recommendations
HPE strongly urges all users of Aruba Instant On access points to upgrade their firmware to version 3.2.1.0 or later, which fully patches the vulnerability. No alternative mitigations or workarounds are available.
