HPE warns hardcoded passwords in Aruba hardware could pose a major security risk

News
By published

HPE patches two flaws in Aruba Instant On Access Points

Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
(Image credit: Shutterstock)
  • HPE patched CVE-2025-37103 and CVE-2025-37102
  • The former is a case of hardcoded credentials for an admin account
  • The latter allows the execution of arbitrary commands as an admin

HPE has patched a critical-severity vulnerability in its Aruba Instant On Access Points which could have allowed threat actors to access the devices as an admin, change settings, deploy malware, and wreak havoc as they see fit.

Aruba Instant On Access Points are Wi-Fi devices designed for small businesses. They are advertised as easy-to-deploy devices offering fast, secure, and reliable wireless connectivity.

In a security advisory, HPE said it found hardcoded credentials in the device’s firmware, “allowing anyone with knowledge of it to bypass normal device authentication.”

No workarounds

“Successful exploitation could allow a remote attacker to gain administrative access to the system,” the company added.

Now, the bug is tracked as CVE-2025-37103. It has a severity score of 9.8/10 (critical) and is apparently simple to find and exploit, especially for a skilled threat actor.

Unfortunately, hardcoded credentials are a common occurrence in modern software. Usually, during the production phase, software developers would add an admin account this way, for easy and convenient access.

However, these credentials should be removed before the product is shipped to the market, and when the DevSecOps team or the Application Security team fails, vulnerabilities like this one happen.

There are no workarounds to mitigate the problem, patching it is the only way to secure the access points, and thus the wider network, from attacks.

In the same advisory, HPE said it patched a second bug, an authenticated command injection vulnerability in instant on command line interface. This bug, tracked as CVE-2025-37102, allows remote threat actors with elevated privileges to execute arbitrary commands on the underlying operating system as a highly privileged user. It was assigned a severity score of 7.2/10 (high).

For this vulnerability, too, there are no workarounds, and HPE advises users to apply the patch as soon as possible.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.