Hewlett-Packard Enterprise (HPE) has released security updates to address a critical security flaw affecting Instant On Access Points that could allow an attacker to bypass authentication and gain administrative access to susceptible systems.
The vulnerability, tracked as CVE-2025-37103, carries a CVSS score of 9.8 out of a maximum of 10.0.
“Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication,” the company said in an advisory.
“Successful exploitation could allow a remote attacker to gain administrative access to the system.”
Also patched by HPE is an authenticated command injection flaw in the command-line interface of the HPE Networking Instant On Access Points (CVE-2025-37102, CVSS score: 7.2) that a remote attacker could exploit with elevated permissions to run arbitrary commands on the underlying operating system as a privileged user.
This also means that an attacker could fashion CVE-2025-37103 and CVE-2025-37102 into an exploit chain, allowing them to obtain administrative access and inject malicious commands into the command-line interface for follow-on activity.
The company credited ZZ from Ubisectech Sirius Team for discovering and reporting the two issues. Both vulnerabilities have been resolved in HPE Networking Instant On software version 3.2.1.0 and above.
HPE also noted in its advisory that other devices, such as HPE Networking Instant On Switches, are not affected.
While there is no evidence that either of the flaws has come under active exploitation, users are advised to apply the updates as soon as possible to mitigate potential threats.
