Hewlett Packard Enterprise (HPE) has disclosed four high-severity vulnerabilities in its Aruba Networking Instant On devices, potentially exposing sensitive network information and enabling denial-of-service (DoS) attacks.
🔎 Vulnerability Breakdown
| CVE ID | Description | Severity | CVSS Score | Attack Vector |
|---|---|---|---|---|
| CVE-2025-37165 | VLAN information exposure in router mode | High | 7.5 | Network |
| CVE-2025-37166 | DoS via crafted packets causing device shutdown | High | 7.5 | Network |
| CVE-2023-52340 | Kernel packet processing memory corruption | High | 7.5 | Network |
| CVE-2022-48839 | IPv4/IPv6 packet handling vulnerability | High | 5.5 | Local |
Risks
- CVE-2025-37165: Exposes VLAN configuration details, revealing internal network topology.
- CVE-2025-37166: Crafted packets can force access points into a non-responsive state, requiring manual resets.
- CVE-2023-52340 & CVE-2022-48839: Kernel-level flaws in packet handling may cause memory corruption and system crashes.
Affected Infrastructure
- Products:
- HPE Networking Instant On Access Points
- Aruba Instant On 1930 Switch Series
- Firmware: Versions 3.3.1.0 and earlier.
- Not affected: Other Aruba Networking products.
Discovery
- CVE-2025-37165: Found by Daniel J Blueman (Quora.org).
- CVE-2025-37166: Reported by Petr Chelmar (GreyCortex).
- Kernel flaws: Discovered internally by HPE’s engineering team.
Mitigation
- Patch available: Firmware 3.3.2.0 fixes all four vulnerabilities.
- Automatic updates: Began rolling out December 10, 2025.
- Manual action: Organizations should verify firmware versions via the Instant On mobile app or web portal and trigger updates if needed.
- No workarounds: Immediate patching is the only effective mitigation.
Takeaway
While HPE reports no evidence of active exploitation, the network-accessible nature and low attack complexity of these flaws make unpatched devices highly vulnerable. Organizations should prioritize patching devices in sensitive or critical network segments and regularly review system security procedures to prevent similar risks in future releases.
Leave a Reply