- HPE Patched CVE-2025-37103 and CVE-2025-37102
- The former is a case of hard -coded credentials for an admin account
- The latter allows the execution of arbitrary commands as administrator
HPE has patched a vulnerability of critical difficulty in its Aruba moment on access points, which could have allowed threat players to access the devices as an administrator, change settings, implement malware and create destruction as they see appropriate.
Aruba Instant on Access Points are Wi-Fi devices designed for small businesses. They are advertised as easy to submit devices that offer fast, secure and reliable wireless connection.
In a security advice, HPE said it found hard -coded credentials in the device’s firmware, “allows anyone with knowledge of circumventing normal device approval.”
No solutions
“Successful exploitation could allow an external striker to gain administrative access to the system,” the company added.
Now the error is traced as CVE-2025-37103. It has a severity of 9.8/10 (critical) and is apparently simple to find and exploit, especially for a skilled threat actor.
Unfortunately, hard -coded credentials are a common occurrence in modern software. Usually during the production phase, software developers will add an admin account in this way for easy and practical access.
However, these credentials should be removed before the product is sent to the market and when the DEVSECOPS team or application security team fails, vulnerabilities happen like this.
There are no solutions to mitigate the problem, to patch it is the only way to secure the access points and thus the wider network from attacks.
In the same advice, HPE said it patched another error, an approved vulnerability injection vulnerability in immediate on the command line interface. This error, which is traced as CVE-2025-37102, allows external threat actors with increased privileges to perform arbitrary commands on the underlying operating system as a very privileged user. It was awarded a severity of 7.2/10 (high).
For this vulnerability, there are no solutions either, and HPE advises users to use the patch as soon as possible.
Via Bleeping computer
