CVE-2025-37103

HPE · Networking Instant On Access Points

HPE Networking Instant On Access Points contain hard-coded credentials, enabling unauthenticated attackers to bypass device authentication and gain unauthorized access.

Executive summary

A critical security vulnerability in HPE Networking Instant On Access Points allows unauthenticated attackers to bypass authentication via hard-coded credentials, posing a severe risk of unauthorized access.

Vulnerability

The device contains hard-coded login credentials that facilitate an authentication bypass. This vulnerability is accessible to unauthenticated remote attackers who possess knowledge of the credentials.

Business impact

The presence of hard-coded credentials represents a significant security failure, potentially allowing attackers to gain full administrative control over network access points. With a CVSS score of 9.8, the risk of data interception, network pivoting, or complete device takeover is extreme. Such compromises could lead to severe operational downtime and the loss of internal network integrity.

Remediation

Immediate Action: Identify all deployed HPE Networking Instant On Access Points and consult the official HPE security portal to obtain and apply the latest firmware updates.

Proactive Monitoring: Review device access logs for frequent or unauthorized login attempts and monitor network traffic for anomalous behavior originating from management interfaces.

Compensating Controls: Restrict management interface access to trusted administrative IP ranges via firewall rules or VLAN segmentation to limit the exposure of the affected hardware.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical nature of hard-coded credential vulnerabilities, organizations must prioritize the identification and patching of all affected HPE Networking devices. Failure to remediate this flaw leaves the network perimeter exposed to trivial unauthorized access, necessitating immediate and decisive action.