Overview
On July 18, 2025, HPE disclosed a critical vulnerability affecting its popular Aruba Instant On Access Points, widely used in small and medium-sized business networks. The flaw? Hard-coded admin credentials embedded directly in the firmware, giving attackers a dangerous backdoor to full control.
What Happened?
Security researcher known as ‘ ZZ ‘ from Ubisectech’s Sirius Team uncovered two major vulnerabilities:
- CVE-2025-37103 (CVSS 9.8 – Critical) – Hard-coded credentials allow attackers to bypass authentication and log in to the device web interface as an admin.
- CVE-2025-37102 (CVSS 7.2 – High) – Once inside, attackers can exploit a command injection flaw to run arbitrary system commands with elevated privileges
These vulnerabilities affect firmware versions 3.2.0.1 and earlier on Aruba Instant On Access Points. Aruba Instant On switches are not impacted.
How It Works
The root of the issue lies in hard-coded login credentials that were unintentionally left in production firmware. Here’s how an attack unfolds:
- Authentication Bypass (CVE-2025-37103) – An attacker accesses the web interface and logs in using the known hard-coded admin credentials
- Remote Command Execution (CVE-2025-37102) – Now with full privileges, the attacker can send malicious inputs to exploit a command injection flaw in the CLI interface—executing arbitrary commands on the device
Together, these flaws give an attacker total control over the access point—and potentially the wider network it’s connected to.
Why This Matters
Wireless access points are not just edge devices, they’re entry points into your network. Here’s what could happen if these flaws are exploited:
- Full device takeover – Change configurations, disable security, redirect traffic
- Network compromise – Launch attacks on internal systems or steal sensitive data
- Persistence – Install malware or backdoors to maintain long-term access
- Silent exploitation – With no user interaction required, attacks can go unnoticed
Given the ease of exploitation and widespread use of these devices, the risk is significant.
What You Should Do
There are no workarounds. The only way to protect your network is to update immediately.
Action Steps:
- Identify affected devices (Aruba Instant On APs running firmware ≤ 3.2.0.1).
- Update to firmware version 3.2.1.0 or later via the Instant On web portal or mobile app.
- Reset any existing admin credentials after patching.
- Audit your access logs for suspicious login or CLI activity.
- Segment AP management interfaces from public or user-facing networks.
Lessons Learned
This incident is a reminder of a long-standing security rule:
“ Never ship devices with hard-coded credentials ”
Especially in the age of IoT, DevOps, and cloud-managed networks, embedded secrets are a ticking time bomb. Organizations should:
- Use secure firmware development practices
- Implement credential rotation and vaulting
- Enforce network segmentation for management interfaces
- Continuously monitor and audit identity and credential use
Final Thoughts
Vulnerabilities like this aren’t just technical bugs, they’re trust failures. Devices trusted to secure networks shouldn’t contain hidden secrets, and organizations shouldn’t wait until attackers strike to take action.
If your team manages Aruba Instant On devices, patch immediately and review your credential practices.
Need help securing your Non-Human Identities?
At NHIMG, we help organizations prevent incidents like this by:
- Designing and building secure, scalable NHI governance programs
- Providing expert-led advisory on identity risk, maturity, and program execution
- Offering education and training to upskill teams on NHI threats and best practices
- Guiding technology selection with unbiased market intelligence across 20+ NHI vendors
If your non-human identities aren’t governed, they’re vulnerable.
Contact us at https://nhimg.org/contact-us for insights, audits and consultation.