- HPE corrected CVE-2025-37103 and CVE-2025-37102
- The first is a case of hard coded identification for an administration account
- The latter allows the execution of arbitrary orders as a administrator
HPE has corrected a vulnerability of critical severity in its instant Aruba on the access points that could have allowed threat actors to access the devices as a administrator, to modify the parameters, to deploy malicious software and to wreak havoc as they wish.
Aruba instantly on access points are Wi-Fi devices designed for small businesses. They are announced as easy -to -deposit devices offering fast, secure and reliable wireless connectivity.
In a security notice, HPE said that it had found hard -coded identification information in the device’s firmware, “allowing anyone with a knowledge of getting around the normal authentication of the device”.
No bypass
“A successful exploitation could allow a distant striker to obtain administrative access to the system,” added the company.
Now the bug is followed as CVE-2025-37103. He has a 9.8 / 10 (critical) severity score and is apparently simple to find and exploit, especially for a qualified threat actor.
Unfortunately, hard -coded identification information is common in modern software. Usually, during the production phase, software developers added an administration account in this way, for easy and practical access.
However, this identification information must be deleted before the product is dispatched to the market, and when the DevSecops team or the applications safety team fails, vulnerabilities like this occur.
There is no bypass to mitigate the problem, the patcher is the only way to secure the access points, and therefore the wider network of attacks.
In the same opinion, HPE said that it had corrected a second bug, a vulnerability of authenticated control injection instantly on the command line interface. This bug, followed like CVE-2025-37102, allows distant threat actors with high privileges to execute arbitrary orders on the underlying operating system as a very privileged user. He received a gravity score of 7.2 / 10 (high).
For this vulnerability also, there is no bypass and HPE solution advises users to apply the fix as soon as possible.
Via Bleeping Compompute
