- CVE-2025-37103 and CVE-2025-37102 HPE
- The first is a case of credentials encoded for an administration account
- The latter allows the execution of arbitrary commands as administrator
HPE has patched a vulnerability of critical severity at its instant Aruba at the access points that could have allowed threat actors to access devices as an administrator, change the configuration, implement malware and wreak havoc as best may seem.
Aruba Instant at access points are Wi-Fi devices designed for small businesses. They are announced as easy to implement devices that offer rapid, safe and reliable wireless connectivity.
In a security notice, HPE said he found credentials encoded in the device firmware, “allowing anyone with knowledge of him to omits the normal authentication of the device.”
No solution
“Successful exploitation could allow a remote attacker to obtain administrative access to the system,” the company added.
Now, the error is tracked as CVE-2025-37103. It has a gravity score of 9.8/10 (critic) and is apparently easy to find and explode, especially for a qualified threat actor.
Unfortunately, encoded credentials are a common occurrence in modern software. In general, during the production phase, software developers would add an administration account in this way, for easy and convenient access.
However, these credentials must be eliminated before the product is sent to the market, and when the Devsecops equipment or the application security equipment fails, vulnerabilities such as this occur.
There are no solutions to mitigate the problem, patching it is the only way to ensure access points and, therefore, the widest network, of the attacks.
In the same notice, HPE said he repaired a second error, a vulnerability of authenticated command injection in the instantaneous interface in the command line. This error, tracked as CVE-2025-37102, allows actors of remote threat with high privileges to execute arbitrary commands in the underlying operating system as a highly privileged user. He was assigned a gravity score of 7.2/10 (high).
For this vulnerability, there are no solutions, and HPE advises users to apply the patch as soon as possible.
Through Bleepingcomputer
