Hewlett-Packard Enterprise (HPE) has released a security update to address critical security flaws that affect the instantaneous access point where attackers can bypass authentication and gain administrative access to the sensitive system.
The vulnerability tracked as CVE-2025-37103 has a CVSS score of 9.8 out of a maximum of 10.0.
“Hardcoded login credentials were found on the HPE Networking Instant on the Access Point, allowing anyone who knows it to bypass normal device authentication,” the company said in its advisory.
“The successful exploitation allows remote attackers to gain administrative access to the system.”
Also patched by HPE is a command injection flaw authenticated to the HPE Networking Instant command line interface on the access point (CVE-2025-37102, CVSS score: 7.2). This is that remote attackers can exploit with advanced privileges to execute arbitrary commands on any operating system with advanced operating systems.
This also means that attackers can fashion CVE-2025-37103 and CVE-2025-37102 into the exploit chain, gaining administrative access and inject malicious commands into the command line interface of follow-on activity.
The company praised the ZZ of the Ubisectech Sirius team for discovering and reporting two issues. Both vulnerabilities were resolved in HPE Network Instant software version 3.2.1.0 or higher.
HPE also noted in its advisory that other devices, such as the HPE Networking Instant on the Switch, are not affected.
Although there is no evidence that any of the flaws are under aggressive exploitation, users are advised to apply updates as soon as possible to mitigate potential threats.
Source link
