Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

A critical flaw found in popular HPE Aruba Wi-Fi devices

The flaw, CVE-2025-37103, has a severity score of 9.8 out of 10 and could allow a remote attacker to gain full administrative access

byKerem Gülen
July 21, 2025
in Cybersecurity, News
Home News Cybersecurity

HPE has issued a warning regarding hardcoded credentials within Aruba Instant On Access Points, which could enable remote attackers to gain administrative access. The vulnerability, identified as CVE-2025-37103, affects Instant On Access Points operating firmware version 3.2.0.1 and earlier, prompting a recommendation for immediate firmware upgrades.

Aruba Instant On Access Points function as compact, plug-and-play wireless devices, designed for small to medium-sized businesses, offering enterprise-grade features and cloud/mobile app management. CVE-2025-37103, rated as critical with a CVSS v3.1 score of 9.8, stems from hardcoded login credentials within the firmware. This allows anyone with knowledge of these credentials to bypass standard device authentication and access the web interface.

HPE’s bulletin specified that successful exploitation could grant a remote attacker administrative access to the system. With administrative credentials embedded in the firmware, their discovery is straightforward for knowledgeable actors, potentially leading to configuration changes, security reconfigurations, backdoor installations, traffic surveillance, or lateral movement within a network.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.


Inside the LLM system that reads emails like a cybersecurity analyst


The Ubisectech Sirius Team security researcher, identified by the alias ZZ, discovered and reported this vulnerability directly to HPE. To mitigate the risk posed by CVE-2025-37103, users of affected devices are advised to upgrade to firmware version 3.2.1.0 or newer. HPE has not provided any alternative workarounds, making patching the sole recommended action. The bulletin clarifies that CVE-2025-37103 does not impact Instant On Switches.

HPE’s bulletin also details a second vulnerability, CVE-2025-37102, a high-severity authenticated command injection flaw found in the Command Line Interface (CLI) of Aruba Instant On access points. This flaw can be exploited in conjunction with CVE-2025-37103, as administrative access is a prerequisite for its exploitation. Chaining these vulnerabilities allows threat actors to inject arbitrary commands into the CLI, potentially leading to data exfiltration, security disabling, and establishing persistence. Similar to CVE-2025-37103, this issue is resolved by upgrading to firmware version 3.2.1.0 or later, with no available workarounds. HPE Aruba Networking has not received any reports of exploitation for either of these vulnerabilities to date.


Featured image credit

Tags: CybersecurityenterpriseFeaturedHPE

Related Posts

Asus ROG Ally, Ally X preorders open; ships October 16

Asus ROG Ally, Ally X preorders open; ships October 16

September 26, 2025
OpenAI: GDPval framework tests AI on real-world jobs

OpenAI: GDPval framework tests AI on real-world jobs

September 26, 2025
Hugging Face: AI video energy use scales non-linearly

Hugging Face: AI video energy use scales non-linearly

September 26, 2025
Apple Wallet digital ID expands to North Dakota

Apple Wallet digital ID expands to North Dakota

September 26, 2025
Salesforce Agentforce hit by Noma “ForcedLeak” exploit

Salesforce Agentforce hit by Noma “ForcedLeak” exploit

September 26, 2025
BetterPic: The industry-leading AI headshot generator

BetterPic: The industry-leading AI headshot generator

September 26, 2025

LATEST NEWS

Asus ROG Ally, Ally X preorders open; ships October 16

OpenAI: GDPval framework tests AI on real-world jobs

Hugging Face: AI video energy use scales non-linearly

Apple Wallet digital ID expands to North Dakota

Salesforce Agentforce hit by Noma “ForcedLeak” exploit

BetterPic: The industry-leading AI headshot generator

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Glossary
    • Whitepapers
  • Newsletter
  • + More
    • Conversations
    • Events
    • About
      • About
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.