HPE Aruba Issues Critical Security Update for Instant On Wi-Fi Devices
HPE Aruba Networking has issued a security update for its Instant On Wi-Fi devices, used by small and medium-sized businesses. The update addresses two vulnerabilities, including hardcoded login credentials that could allow attackers unauthorized access to your device.
Researcher ZZ from Ubisectech Sirius Team discovered these issues and reported them through HPE's Bug Bounty program. The hardcoded credentials vulnerability, tracked as CVE-2025-37103, affects devices running firmware 3.2.0.1 and below. This allows attackers to bypass authentication and gain access to the web interface of your device.
The second vulnerability, CVE-2025-37102, is an authenticated command injection issue in the Instant On Command Line Interface. Firmware version 3.2.1.0 and above addresses both vulnerabilities. HPE Aruba Networking is not aware of any public exploits or attacks exploiting these issues in the wild.
HPE Aruba Networking urges users of Instant On Wi-Fi devices to update their firmware to version 3.2.1.0 or newer to mitigate these vulnerabilities. The update ensures that hardcoded credentials are removed and the command injection issue is patched, enhancing the security of your device at home.
