HPE warns hardcoded passwords in Aruba hardware could pose a major security risk
- HPE patched CVE-2025-37103 and CVE-2025-37102
- The former is a case of hardcoded credentials for an admin account
- The latter allows the execution of arbitrary commands as an admin
HPE has patched a critical-severity vulnerability in its Aruba Instant On Access Points which could have allowed threat actors to access the devices as an admin, change settings, deploy malware, and wreak havoc as they see fit.
Aruba Instant On Access Points are Wi-Fi devices designed for small businesses. They are advertised as easy-to-deploy devices offering fast, secure, and reliable wireless connectivity.
In a security advisory, HPE said it found hardcoded credentials in the device’s firmware, “allowing anyone with knowledge of it to bypass normal device authentication.”
No workarounds
“Successful exploitation could allow a remote attacker to gain administrative access to the system,” the company added.
Now, the bug is tracked as CVE-2025-37103. It has a severity score of 9.8/10 (critical) and is apparently simple to find and exploit, especially for a skilled threat actor.
Unfortunately, hardcoded credentials are a common occurrence in modern software. Usually, during the production phase, software developers would add an admin account this way, for easy and convenient access.
However, these credentials should be removed before the product is shipped to the market, and when the DevSecOps team or the Application Security team fails, vulnerabilities like this one happen.
There are no workarounds to mitigate the problem, patching it is the only way to secure the access points, and thus the wider network, from attacks.
In the same advisory, HPE said it patched a second bug, an authenticated command injection vulnerability in instant on command line interface. This bug, tracked as CVE-2025-37102, allows remote threat actors with elevated privileges to execute arbitrary commands on the underlying operating system as a highly privileged user. It was assigned a severity score of 7.2/10 (high).
For this vulnerability, too, there are no workarounds, and HPE advises users to apply the patch as soon as possible.
Via BleepingComputer
You might also like
HPE patched CVE-2025-37103 and CVE-2025-37102 The former is a case of hardcoded credentials for an admin account The latter allows the execution of arbitrary commands as an admin HPE has patched a critical-severity vulnerability in its Aruba Instant On Access Points which could have allowed threat actors to access the…
