Hewlett Packard Enterprise has fixed a pair of security bugs affecting Instant On Access Points, which could be chained to facilitate administrative access and malicious command injections, reports The Hacker News.
More severe of the two is the critical hard-coded login credential issue, tracked as CVE-2025-37103, which could be leveraged to evade device authentication mechanisms and secure admin access, according to HPE. On the other hand, the high-severity authenticated command injection vulnerability, tracked as CVE-2025-37102, could be exploited to allow arbitrary command execution among privileged attackers. While both of the security defects, which were discovered and reported by Ubisectech Sirius Team, have not yet been actively exploited, organizations using HPE Networking Instant On software versions older than 3.2.1.0 have been urged to immediately implement the newer iterations of the software. Users of HPE Networking Instant On Switches and other devices were reported not to be impacted by the bugs.
More severe of the two is the critical hard-coded login credential issue, tracked as CVE-2025-37103, which could be leveraged to evade device authentication mechanisms and secure admin access, according to HPE. On the other hand, the high-severity authenticated command injection vulnerability, tracked as CVE-2025-37102, could be exploited to allow arbitrary command execution among privileged attackers. While both of the security defects, which were discovered and reported by Ubisectech Sirius Team, have not yet been actively exploited, organizations using HPE Networking Instant On software versions older than 3.2.1.0 have been urged to immediately implement the newer iterations of the software. Users of HPE Networking Instant On Switches and other devices were reported not to be impacted by the bugs.
