HPE Aruba Instant On Access Points: Update closes partly critical gaps
Permanently stored access data and another gateway endanger users of HPE access points. Current software versions avert the danger.
(Image: AFANASEV IVAN/Shutterstock.com)
HPE Aruba Networking has published a security warning for its "Instant On" access points. The company warns of two vulnerabilities, one of which has been classified as critical.
Users should ensure that their access point software is up to date: versions from 3.2.1.0 onwards are secured. According to HPE's Security Advisory, the update should already have been carried out automatically in the standard configuration; however, a manual upgrade is also possible via the Instant On app or the web portal if required. HPE Networking Instant On switches are not affected by the vulnerabilities.
Default credentials & remote commands
HPE's Security Advisory provides details on the vulnerabilities. According to this, CVE-2025-37103 (CVSS score 9.8, "critical") is based on permanently stored login data. A remote attacker with knowledge of these credentials could log in with admin rights and thus take control.
CVE-2025-37102 (7.2, "high") allows the remote injection of commands via the command line – however, the attacker would already have to have extended access rights.
(ovw)
