Hewlett Packard Enterprise has issued a critical security alert for its Aruba Instant On Access Points, warning of a backdoor vulnerability that could allow attackers to bypass authentication entirely.

Tracked as CVE-2025-37103 and rated 9.8 on the CVSS scale, the flaw stems from hardcoded login credentials embedded in the device firmware. “Hardcoded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication,” the company stated in its bulletin. The bug affects devices running firmware version 3.2.0.1 and earlier. HPE confirmed that its Networking Instant On Switches are not affected.

The vulnerable APs are designed for small to midsize businesses and allow admin-level control via a web interface. Attackers exploiting the flaw could reconfigure network settings, capture traffic, or install persistent backdoors. According to HPE, “successful exploitation could allow a remote attacker to gain administrative access to the system.” The company urged all users to upgrade to firmware version 3.2.1.0 or higher, noting that no workaround exists.

The issue was reported by a security researcher known as ZZ from the Ubisectech Sirius Team. Although no active exploitation has been reported yet, researchers say the hardcoded credentials could be trivially discovered by threat actors familiar with embedded firmware analysis.

A second flaw, CVE-2025-37102, was also disclosed in the same bulletin. This command injection bug in the device’s CLI interface could be chained with the authentication bypass to run arbitrary commands. HPE explained that a successful exploit “could allow a remote attacker with elevated privileges to execute arbitrary commands on the underlying operating system.”

Both issues were patched in the 3.2.1.0 update. HPE has not provided additional mitigations beyond the firmware upgrade, and the company stressed that users should apply the patch immediately to reduce risk.