Critical Flaw (CVE-2025-37103) in Aruba Instant On APs: Hardcoded Credentials Allow Full Admin Takeover – Patch Now!
Hewlett-Packard Enterprise has issued a critical security advisory concerning a severe vulnerability in Aruba Instant On access points. Embedded credentials have been discovered within the devices, enabling malicious actors to bypass standard authentication and gain unrestricted access to the web management interface.
Aruba Instant On access points are compact wireless devices primarily targeted at small and medium-sized enterprises. They offer enterprise-grade features such as guest networking and traffic segmentation, while being centrally managed through a cloud interface or mobile application.
The flaw, cataloged as CVE-2025-37103, has received a CVSS severity score of 9.8, denoting maximum criticality. The vulnerability affects devices running firmware version 3.2.0.1 or earlier. According to HPE, the presence of hardcoded usernames and passwords allows anyone with knowledge of these credentials to log in with full administrative privileges.
Once authenticated, an attacker could reconfigure system settings, disable security features, implant stealthy backdoors, intercept traffic, or leverage the compromised device as a launching pad for lateral movement within the network.
The vulnerability was responsibly disclosed by a security researcher from Ubisectech Sirius, known by the pseudonym ZZ, who reported the issue directly to the vendor.
HPE urgently advises all customers to update to firmware version 3.2.1.0 or later. There are no workarounds—only applying the patch will mitigate the vulnerability. It is important to note that this issue does not affect Aruba Instant On Switches.
The same bulletin also details a second vulnerability—CVE-2025-37102—which allows the execution of arbitrary commands via the command-line interface, provided the attacker has administrative access. This flaw could be chained with CVE-2025-37103 to exfiltrate data, neutralize security defenses, and achieve persistent access.
At the time of publication, there were no reports of these vulnerabilities being exploited in the wild. Nonetheless, experts emphasize the urgency of applying the update without delay, warning that the window for preemptive action may soon close.
