Hewlett-Packard Enterprise (HPE) has released urgent security updates to fix a critical vulnerability affecting its Instant On Access Points, which could potentially allow attackers to bypass authentication and gain unauthorized administrative access. The vulnerability, identified as CVE-2025-37103, has been assigned a staggering CVSS score of 9.8, indicating its severity.
The security flaw stems from hard-coded login credentials present in the HPE Networking Instant On Access Points, as noted in the company’s advisory. “This allows anyone with knowledge of it to bypass normal device authentication,” HPE stated. Exploiting this vulnerability could enable a remote attacker to seize full administrative access to compromised systems. More detailed information can be found in the company’s advisory here.
In addition to the authentication vulnerability, HPE has also addressed an authenticated command injection flaw within the command-line interface of the same devices (CVE-2025-37102), which carries a CVSS score of 7.2. This flaw could allow attackers with elevated permissions to execute arbitrary commands on the underlying operating system, further escalating the risks posed by the first vulnerability. Notably, the two vulnerabilities can be combined to create an exploit chain, facilitating more extensive malicious activities.
The vulnerabilities were discovered by ZZ from Ubisectech Sirius Team, who reported them to HPE. The company has confirmed that both issues have been resolved in software versions 3.2.1.0 and above. While HPE reassured users that other devices, such as HPE Networking Instant On Switches, remain unaffected, it stressed the importance of applying the updates promptly to guard against potential threats.
As of now, there is no evidence suggesting that these vulnerabilities have been actively exploited in the wild. However, users are urged to take immediate action to ensure their systems are secured against any future risks.