HPE’s Wi‑Fi Kit Gets a Nasty Surprise: Hard‑Coded Passwords
Hewlett‑Packard Enterprise (HPE) has patched two nasty bugs in its Instant On wireless access‑points. The worst, CVE‑2025‑37103 (CVSS 9.8), comes from hard‑coded admin credentials that let anyone waltz straight past the login screen. A second flaw, CVE‑2025‑37102 (CVSS 7.2), allows command injection once you’re signed in. Chained together, the pair could hand an attacker full root control. Both issues are fixed in firmware 3.2.1.0. No other HPE Instant On kit is affected, and there’s no sign of active exploitation, but admins are urged to upgrade pronto.
If you’re running HPE Instant On access‑points, clear your diary: a critical firmware update has arrived, and it’s a corker.
The embarrassing bit
Security bods found hard‑coded admin credentials (yes, in 2025) baked into every affected access‑point. The flaw, labelled CVE‑2025‑37103 and scoring a sweaty 9.8/10, lets a remote miscreant skip the login screen like a VIP at a nightclub.
But wait, there’s more
Should said miscreant feel adventurous, they can pair the bug with CVE‑2025‑37102—a command‑injection hole in the CLI—to run whatever code they fancy, as root. Think of it as a two‑for‑one voucher on your network.
Who’s at risk?
Only Instant On Access‑Points with firmware before 3.2.1.0. HPE’s switches and other widgets are safe, so your cables can sleep easy.
What to do
1. Update to 3.2.1.0 or later—now, not after your tea break.
2. While you’re there, ditch any default passwords you’ve still got knocking about.
3. Pour yourself a well‑earned cuppa.
Lessons learned
Hard‑coded creds are like leaving a spare key under the plant pot: convenient for you, delightful for burglars. Patch early, patch often, and maybe stop baking passwords into devices, eh?