Full Report
Hewlett-Packard Enterprise (HPE) is warning of hardcoded credentials in Aruba Instant On Access Points that allow attackers to bypass normal device authentication and access the web interface. [...]
Analysis Summary
# Vulnerability: Hardcoded Credentials and Authenticated Command Injection in Aruba Access Points
## CVE Details
- CVE ID: CVE-2025-37103 (Hardcoded Passwords)
- CVE ID: CVE-2025-37102 (Authenticated Command Injection)
- CVSS Score: N/A (Severity/Score not explicitly provided for CVE-2025-37103, but CVE-2025-37102 is described as **High-severity**)
- CWE: Not explicitly detailed
## Affected Systems
- Products: HPE Aruba Instant On Access Points
- Versions: Versions prior to firmware 3.2.1.0
- Configurations: CVE-2025-37102 specifically affects the Command Line Interface (CLI). CVE-2025-37103 does not impact Instant On Switches.
## Vulnerability Description
Two primary vulnerabilities were disclosed:
1. **CVE-2025-37103 (Hardcoded Passwords):** Involves hardcoded credentials present in certain Aruba access points.
2. **CVE-2025-37102 (Authenticated Command Injection):** A high-severity flaw in the CLI of Aruba Instant On access points. This flaw allows an authenticated attacker to inject arbitrary commands, potentially leading to data exfiltration, security disabling, and persistence establishment. This vulnerability can be chained with CVE-2025-37103.
## Exploitation
- Status: HPE Aruba Networking is **not aware of any reports of exploitation** of the two flaws at the time of the report.
- Complexity: CVE-2025-37102 requires **authentication (admin access)** to exploit.
- Attack Vector: Both vulnerabilities likely involve **Local/Network** access depending on how access credentials for the affected interfaces are obtained.
## Impact
- Confidentiality: High (Due to potential command injection for data exfiltration)
- Integrity: High (Due to ability to inject arbitrary commands)
- Availability: Potential Impact (Due to ability to modify security settings or establish persistence)
## Remediation
### Patches
- Upgrade to **firmware version 3.2.1.0 or newer** to resolve both CVE-2025-37103 and CVE-2025-37102.
### Workarounds
- HPE has provided **no workarounds** for these issues; immediate patching is recommended.
## Detection
- The primary detection mechanism relies on monitoring for unauthorized access or command execution via the CLI on Aruba access points, especially prior to patching.
- Detection tooling should look for unusual administrative activity post-upgrade confirmation.
## References
- Vendor Advisory: HPE Aruba Networking Security Advisory (Specific URL not provided in text)
- Relevant links - defanged:
- hxxps://www.bleepingcomputer.com/news/security/hpe-warns-of-hardcoded-passwords-in-aruba-access-points/