HPE Warns of Hardcoded Admin Credentials in Aruba Instant On Firmware

Hewlett-Packard Enterprise (HPE) has notified customers about the presence of hardcoded passwords in Aruba Instant On access points, which can enable attackers to bypass standard device authentication and gain access to the web interface of network equipment for businesses.

Aruba Instant On access points are compact, plug-and-play wireless devices designed primarily for small to medium-sized enterprises, offering enterprise-grade services such as guest networking and traffic segmentation, all managed via cloud or mobile applications.

HPE has acknowledged a critical security vulnerability identified as CVE-2025-37103, affecting Instant On access points running firmware version 3.2.0.1 or earlier.

The HPE bulletin states, “HPE Networking Instant On access points contain hardcoded credentials that allow anyone aware of this to bypass standard device authentication. Successfully exploiting this vulnerability could enable remote attackers to gain administrative access to the system.” Since the administrative credentials are embedded in the firmware, they can be easily discovered by skilled attackers.

With administrative access to the web interface, malicious actors could alter the access point’s configurations, reconfigure security systems, install backdoors, conduct covert surveillance, or intercept network traffic.

The CVE-2025-37103 vulnerability was discovered by a security researcher from the Ubisectech Sirius Team, who reported it directly to the manufacturer. Users of affected devices are advised to upgrade their firmware to version 3.2.1.0 or newer to mitigate the risks of unauthorized access.

HPE has not provided alternatives regarding this incident, urging users to apply firmware patches as soon as possible. The bulletin clarifies that CVE-2025-37103 does not affect Instant On switches.

Currently, HPE Aruba Networking has no information on any reports of exploitation related to CVE-2025-37103, nor CVE-2025-37102, which is associated with the potential for third-party injection of authenticated commands into the command-line interface of Aruba Instant On access points.