Hewlett-Packard Enterprise (HPE) has rolled out critical security patches addressing a serious vulnerability in its Instant On Access Points, which could allow attackers to bypass authentication controls and gain full administrative access. The flaw, tracked as CVE-2025-37103, has received a CVSS severity rating of 9.8, indicating its high potential for exploitation.
According to an advisory from HPE, the issue stems from hard-coded login credentials embedded within the devices. “Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication,” the company confirmed. “Successful exploitation could allow a remote attacker to gain administrative access to the system.”
Alongside this, HPE addressed a second vulnerability, CVE-2025-37102, which carries a CVSS score of 7.2. This flaw allows authenticated command injection through the command-line interface (CLI), enabling attackers with elevated access to execute arbitrary commands as a privileged user on the device’s underlying operating system.
When combined, the two flaws could form a powerful exploit chain: CVE-2025-37103 could be used to obtain unauthorized administrative access, which then could be leveraged to exploit CVE-2025-37102 and execute malicious commands—potentially opening the door for deeper system compromise and persistent access.
The vulnerabilities were responsibly disclosed by ZZ from Ubisectech Sirius Team, and both have been fixed in HPE Networking Instant On software version 3.2.1.0 and later. HPE emphasized that other product lines, including HPE Networking Instant On Switches, are not affected by these issues.
While there are currently no reports of active exploitation, HPE urges customers to update their devices immediately to reduce exposure to potential attacks. The advisory highlights the importance of staying up to date with firmware updates, especially for network-connected infrastructure that may be targeted remotely.
With the discovery of these critical flaws, HPE joins a growing list of tech vendors working swiftly to close security gaps in increasingly interconnected enterprise environments.
 has rolled out critical security patches addressing a serious vulnerability in its Instant On Access Poin...){kind=link}