Skip to content
Uniqcli

"Aruba Instant On CVE-2025-37103 (CVSS 9.8): Hardcoded Admin Credentials — Upgrade to 3.2.1.0 Now"

NewsUniqcli TeamJune 13, 20266 min read
"Aruba Instant On CVE-2025-37103 (CVSS 9.8): Hardcoded Admin Credentials — Upgrade to 3.2.1.0 Now"

HPE Aruba Networking has disclosed a critical hardcoded-credentials flaw in its Instant On access points. Tracked as CVE-2025-37103 and carrying a CVSS v3.1 base score of 9.8, the vulnerability lets an attacker bypass normal device authentication and gain administrative control of an affected access point. A second, related issue (CVE-2025-37102) was disclosed at the same time. Both are fixed in firmware 3.2.1.0, and HPE states there are no workarounds — upgrading is the remediation.

This post lays out what is confirmed by HPE and corroborating advisories, who is affected, and the concrete steps to close the exposure.

What happened

HPE Aruba Networking found that its Instant On access points ship with hardcoded login credentials embedded in the firmware. Anyone who knows those credentials can log in to the device's web interface and bypass the normal authentication mechanism, gaining administrative access. The flaw was reported to HPE by a researcher from the Ubisectech Sirius Team (alias "ZZ") and addressed in a July 2025 security bulletin (HPESBNW04712).

A separate flaw, CVE-2025-37102, is an authenticated command-injection vulnerability in the access point's command-line interface (CLI). On its own it requires administrative privileges, but it can be chained with CVE-2025-37103: an attacker uses the hardcoded credentials to gain admin, then injects arbitrary operating-system commands through the CLI. That combination turns an authentication bypass into full device compromise.

Importantly, this advisory applies to Instant On access points only. Per HPE, Instant On switches are not affected.

Affected products and versions

Product Affected Fixed
HPE Aruba Networking Instant On Access Points (CVE-2025-37103) Firmware 3.2.0.1 and earlier 3.2.1.0 or later
HPE Aruba Networking Instant On Access Points (CVE-2025-37102) Firmware 3.2.0.1 and earlier 3.2.1.0 or later
HPE Aruba Networking Instant On Switches Not affected

Both CVEs share the same affected range and the same fixed release, so a single firmware upgrade to 3.2.1.0 resolves both.

How serious is it

CVE-2025-37103 is rated CVSS 9.8 (Critical). The score reflects the worst-case profile for a network device: remotely reachable, requiring no authentication and no user interaction, and resulting in a full compromise of confidentiality, integrity, and availability. With administrative access, an attacker can change access point settings, reconfigure or disable security controls, install backdoors, intercept traffic passing through the device, and use it as a foothold for lateral movement into the rest of the network.

CVE-2025-37102 is rated CVSS 7.2 (High). It requires high privileges to exploit on its own, which is why the chaining with CVE-2025-37103 matters — the hardcoded credentials supply exactly the admin access the command-injection flaw needs.

On exploitation status: as of the disclosure, HPE reported no evidence that either vulnerability has been exploited in the wild, and the Belgian Centre for Cybersecurity (CCB) advisory likewise notes no observed active exploitation. At the time of writing, CVE-2025-37103 is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog. That status can change; given the 9.8 severity and the simplicity of an embedded-credential bypass, treat this as urgent regardless of current exploitation reports.

Am I exposed?

You are likely exposed if all of the following are true:

  • You operate HPE Aruba Networking Instant On access points (the small-business / branch Wi-Fi line, managed through the Instant On cloud portal or mobile app), and
  • Any of those access points are running firmware 3.2.0.1 or earlier.

To check, open the Instant On portal or mobile app, review your sites and devices, and confirm the firmware version reported for each access point. The risk is highest where an access point's management or web interface is reachable from untrusted networks. Instant On switches and other Aruba product lines (for example AOS-CX or AOS-10 gear) are outside the scope of this specific advisory.

How to fix it

  1. Upgrade firmware to 3.2.1.0 or later. This is the only remediation HPE provides for both CVE-2025-37103 and CVE-2025-37102; there are no official workarounds. Most Instant On deployments receive firmware through the cloud-managed update mechanism — confirm automatic updates are enabled, or trigger the update manually, and verify every access point reports 3.2.1.0 afterward.
  2. Reduce exposure of the management interface in the interim. Until every device is patched, limit who can reach access point management and web interfaces — keep them off untrusted and guest networks and restrict access to trusted management segments. This is a general hardening measure rather than a vendor-confirmed mitigation for the hardcoded-credentials flaw, so do not treat it as a substitute for the upgrade.
  3. Watch for signs of prior compromise. Patching protects against future exploitation but does not undo any access that already occurred. Review access point configurations for unexpected changes, scrutinize logs for unfamiliar administrative logins, and increase monitoring during and after the upgrade.
  4. Confirm and document. After patching, record the firmware version on each device for audit and compliance purposes, especially in regulated environments.

How Uniqcli helps

Uniqcli is an authorized HPE, HPE Aruba Networking, and HPE Juniper Networking reseller serving US federal, SLED, healthcare, and enterprise customers. For this advisory we can:

  • Assess your exposure — inventory your Instant On access points, identify which are running firmware 3.2.0.1 or earlier, and prioritize remediation across sites.
  • Source patched or replacement hardware — where devices are end-of-support, under-provisioned, or due for refresh, we can quote current Instant On or higher-tier Aruba Networking gear through TAA-compliant, GSA, and SEWP procurement vehicles.
  • Support the upgrade — help plan and validate the move to firmware 3.2.1.0, including staged rollouts, management-interface hardening, and post-upgrade verification.

If you run Aruba Instant On wireless and want help confirming your firmware status or planning the fix, contact Uniqcli and we will scope it with you.

Sources

Build your HPE bill of materials.

Send us the requirement, the project, or an existing quote to beat. We come back with a validated, TAA-compliant HPE configuration and a real price, often below list.

connect [at] getuniqcli.com · Chicago, IL