Skip to content
Uniqcli

"Aruba Instant On CVE-2025-37102: Authenticated CLI Command Injection — What Admins Must Do"

NewsUniqcli TeamJune 14, 20266 min read
"Aruba Instant On CVE-2025-37102: Authenticated CLI Command Injection — What Admins Must Do"

HPE Aruba Networking has disclosed CVE-2025-37102, an authenticated command-injection vulnerability in the command-line interface (CLI) of HPE Networking Instant On access points. It was published alongside a more severe flaw, CVE-2025-37103 (hardcoded credentials, CVSS 9.8). On their own, neither is currently known to be exploited in the wild — but read together they describe a realistic path to full device takeover. This post lays out exactly what is confirmed by the vendor and independent advisories, and what your team should do.

What happened

In a security bulletin (HPESBNW04712) HPE disclosed two vulnerabilities in the Instant On line of small-business access points:

  • CVE-2025-37103 — Hardcoded login credentials in the firmware let anyone who knows them bypass normal device authentication and gain administrative access to the web interface. No authentication is required to exploit it. CVSS 9.8 (Critical). It was reported by a researcher using the alias "ZZ" from the Ubisectech Sirius Team.
  • CVE-2025-37102 — An authenticated command-injection flaw in the Instant On CLI. An attacker with administrative (highly privileged) access can inject arbitrary commands that run on the underlying operating system.

The concern with CVE-2025-37102 is the chain. The hardcoded-credentials flaw (CVE-2025-37103) supplies the privileged access that CVE-2025-37102 requires. An attacker who used the hardcoded credentials to log in could then use the command-injection flaw to run arbitrary OS-level commands — enabling data exfiltration, disabling of security features, installation of backdoors, and persistence. Both flaws are fixed in the same firmware release.

Instant On is HPE Aruba Networking's cloud-managed Wi-Fi line aimed at small businesses and branch sites; the devices are common in retail, clinics, satellite offices, and similar edge locations.

Affected products and versions

Product Affected Fixed
HPE Networking Instant On Access Points (firmware) Version 3.2.0.1 and earlier 3.2.1.0 or later

Both CVE-2025-37102 and CVE-2025-37103 are addressed by the same firmware update. The vendor and independent advisories consistently cite 3.2.0.1 and below as affected and 3.2.1.0 as the fixed release. Note: this advisory covers the Instant On access-point line specifically — it does not apply to Aruba AOS-8/AOS-10 controller-managed access points or AOS-CX switches, which carry their own separate advisories.

How serious is it

CVE-2025-37102 is rated high severity, CVSS 7.2 (per the published CVE record). That score reflects its prerequisite: the attacker must already hold administrative privileges on the device. Command injection that runs as a highly privileged OS user is serious — it means full control of the access point — but the bar to reach it is meaningful on its own.

The real-world severity rises sharply when CVE-2025-37102 is considered next to CVE-2025-37103 (CVSS 9.8). The hardcoded-credentials flaw removes the authentication prerequisite that would otherwise gate CVE-2025-37102, turning two separate issues into a plausible unauthenticated-to-root chain.

On exploitation status: as of the advisory's publication, HPE Aruba Networking stated it was not aware of any public exploits or active attacks targeting these vulnerabilities. Neither CVE-2025-37102 nor CVE-2025-37103 is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog at the time of writing. That is not a reason to defer patching — hardcoded credentials are trivially weaponized once known, and a fix being available makes these attractive targets.

Am I exposed?

You are likely exposed if all of the following are true:

  • You operate HPE Networking Instant On access points (the small-business cloud-managed line — not enterprise AOS controller-managed or CX gear).
  • Their firmware is at 3.2.0.1 or earlier.

To check: open the Instant On mobile app or cloud portal, select your site, and review the firmware version reported for each access point. Pay particular attention to any device whose web or CLI management interface is reachable beyond the local trusted network — internet-exposed management dramatically increases risk, especially given the hardcoded-credentials flaw.

How to fix it

  1. Upgrade firmware to 3.2.1.0 or later. This is the only remediation HPE provides for both CVEs. There are no workarounds or mitigations — a firmware update is required. Instant On devices typically update through the cloud-managed service; confirm each access point has applied 3.2.1.0+ rather than assuming the fleet auto-updated.
  2. Verify across every site. Distributed Instant On deployments can have stragglers that missed an update window. Confirm the fixed version on each unit, not just a sample.
  3. Reduce management exposure in the interim. Until every device is on 3.2.1.0+, restrict access to device management interfaces (web and CLI) to trusted networks only, and ensure they are not reachable from the internet. This limits who can reach the attack surface even though it does not remediate the flaws themselves.
  4. Rotate credentials and review configs after patching. Because the hardcoded-credentials flaw could have allowed prior admin access, change administrative passwords and review device configuration, firewall/security settings, and logs for anything unexpected once you are on the fixed release.

How Uniqcli helps

As an authorized HPE, HPE Aruba Networking, and HPE Juniper Networking reseller, Uniqcli can help you close this out end to end:

  • Assess exposure. We help you inventory your Instant On (and broader Aruba) fleet, identify which units are on vulnerable firmware (3.2.0.1 or earlier), and prioritize remediation across distributed sites.
  • Support the upgrade. We can guide the firmware rollout to 3.2.1.0+, validate that every access point is patched, and advise on hardening management access during the transition.
  • Source patched or replacement hardware. If any sites are running access points that are end-of-support or otherwise due for refresh, we can source current, patched Aruba hardware — including TAA-compliant options for federal and SLED buyers.
  • Compliant procurement. We support purchasing through the vehicles your organization already uses, including GSA, NASA SEWP, and other federal and cooperative contracts, with proper terms and genuine, warrantied hardware.

If you run Instant On access points and want help confirming your exposure or planning the upgrade, contact Uniqcli and we will scope it with you.

Sources

Build your HPE bill of materials.

Send us the requirement, the project, or an existing quote to beat. We come back with a validated, TAA-compliant HPE configuration and a real price, often below list.

connect [at] getuniqcli.com · Chicago, IL