HPE has released security patches for multiple high-severity vulnerabilities in HPE Networking Instant On devices that could expose internal VLAN configuration data and allow remote attackers to disrupt wireless networks or gain unauthorized insight into sensitive network information.
The flaws affect Instant On access points and 1930 switches running software version 3.3.1.0 and below, with a fix available in version 3.3.2.0 and later.
According to HPE’s security bulletin HPESBNW04988, the most critical issue, tracked as CVE-2025-37165, exists in the router mode configuration of HPE Networking Instant On access points and leads to exposure of VLAN information on unintended network interfaces.
When the device is operating in router mode, crafted traffic can cause internal network configuration details, such as VLAN identifiers and segmentation design, to be leaked through packets that should not normally reveal this information.
HPE Aruba Instant On Flaws Expose Network Details
This vulnerability is remotely exploitable over the network without authentication or user interaction and is rated High severity with a CVSS v3.1 score of 7.5, reflecting high confidentiality impact but no direct integrity or availability impact.
HPE warns that a malicious actor able to monitor or inject traffic on the affected interfaces could use the leaked VLAN and topology data to map internal segments and plan further lateral movement or targeted attacks against sensitive parts of the network.
The issue, which has no available workaround, was discovered and reported by Daniel J Blueman of Quora.org and is classified under the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network-based exploitation with low complexity and no required privileges.
A second high-severity flaw, CVE-2025-37166, affects HPE Networking Instant On access points and can be triggered when the device processes a specially crafted network packet.
Successful exploitation can push the access point into a non-responsive state, sometimes requiring a hard reset to restore services, effectively allowing an attacker to perform a remote denial-of-service attack against Wi‑Fi infrastructure.
This issue, discovered by Petr Chelmar of GreyCortex, is also rated High with a CVSS v3.1 score of 7.5 using the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, highlighting its impact on availability rather than data or integrity.
In addition, HPE Instant On devices are impacted by multiple packet-processing issues in the underlying operating system kernel, documented as CVE-2023-52340 and CVE-2022-48839.
These kernel-level bugs, arising from IPv4 and IPv6 packet handling, can lead to denial-of-service conditions and memory corruption during normal device operation and are also rated High, with CVSS scores up to 7.5 depending on the individual CVE and attack vector.
HPE notes that these kernel vulnerabilities were resolved upstream by kernel developers and integrated by the HPE Instant On engineering team, but no specific workarounds are available beyond upgrading.
HPE states that it is not aware of any public exploit code or active attacks leveraging these vulnerabilities at the time of publication.
Customers are advised to upgrade affected Aruba Instant On 1930 Switch Series and Instant On access points to software version 3.3.2.0 or above, either via automatic updates that began rolling out in the week of December 10, 2025, or by initiating manual updates through the Instant On app or web portal.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.