Critical Vulnerability in HPE Instant On Access Points: Hard-Coded Credentials Pose Severe Risk

Hewlett-Packard Enterprise (HPE) has released security updates to address a critical vulnerability (CVE-2025-37103) in its Instant On access points. This vulnerability, which has a CVSS score of 9.8, involves hard-coded credentials that could allow attackers to bypass authentication mechanisms and gain administrative access to the affected systems. The presence of hard-coded credentials is a significant security concern as it can provide attackers with a persistent backdoor, even if users have changed their passwords. The critical nature of this vulnerability is underscored by its high CVSS score, indicating that it is easy to exploit and has a substantial impact on the confidentiality, integrity, and availability of the affected systems. The implications of this vulnerability are severe. With administrative access, attackers could potentially eavesdrop on network traffic, install malware, or use the compromised device as a pivot point to attack other systems within the network. This issue highlights the ongoing challenge of supply chain vulnerabilities, where third-party products can introduce significant risks to an organization's security posture. It is crucial for organizations using HPE Instant On access points to apply the latest security updates to mitigate this risk. Additionally, organizations should review their network configurations to limit lateral movement in case of a breach. This incident serves as a reminder of the importance of robust vulnerability management programs that include regular updates and patch management. Cybersecurity professionals should prioritize updating affected devices and consider implementing additional security measures to protect against potential exploits of this vulnerability. The source of this information is a report from The Hacker News, which provides detailed insights into the vulnerability and the steps HPE has taken to address it.