Attacks on network management solution HPE Networking On possible

Admins using HPE Networking On in companies should update the network management solution promptly. If this is not done, attackers can exploit four security vulnerabilities and gain access to information that should actually be isolated, among other things.

Various Dangers

In a warning message, the developers state that three vulnerabilities (CVE-2025-37165, CVE-2025-37166, CVE-2023-52340) are classified as having a threat level of “high.” For one vulnerability (CVE-2022-48839), the risk is considered “medium.” All devices with HPE Networking On up to and including version 3.3.1.0 are said to be affected. In addition, switches in the Aruba 1930 series with Instant On up to and including version 3.3.1.0 are vulnerable due to the security flaws.

Attackers can, for example, send crafted packets to vulnerable access points to trigger crashes as part of a DoS attack. Afterward, according to the developers, a hard reset is necessary for devices to resume operation.

Because the configuration mode of access points has errors, attackers can exploit this to access information that should be protected. This data reveals details about internal network configurations to attackers, which can very likely be used for further attacks. How the described attacks could proceed in detail is currently unclear.

Protect Devices

Furthermore, the processing of manipulated IPv-4 and IPv6 packets can lead to errors, causing crashes. HPE assures that they currently have no indications of ongoing attacks. Since this can change quickly, admins should not hesitate and install the patched HPE-Networking-Instant-On version 3.3.2.0. All previous versions are vulnerable, according to the developers.

(des)