Hewlett Packard Enterprise (HPE) has disclosed four high-severity vulnerabilities in its Aruba Networking Instant On devices that could allow attackers to access sensitive network information and disrupt operations.
The security flaws, identified as CVE-2025-37165, CVE-2025-37166, CVE-2023-52340, and CVE-2022-48839, affect devices running software version 3.3.1.0 and earlier.
Vulnerability Details and Risk Assessment
The most critical vulnerability, CVE-2025-37165, exposes VLAN configuration details through unintended network interfaces when devices operate in router mode.
Attackers can inspect affected packets to learn about the internal network topology and configuration settings.
This information disclosure flaw carries a CVSS v3.1 score of 7.5 and requires no authentication to exploit.
| CVE ID | Description | Severity | CVSS Score | Vector | Attack Vector |
|---|---|---|---|---|---|
| CVE-2025-37165 | VLAN information exposure in router mode | High | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | Network |
| CVE-2025-37166 | DoS via crafted packets causing device shutdown | High | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | Network |
| CVE-2023-52340 | Kernel packet processing memory corruption | High | 7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | Network |
| CVE-2022-48839 | IPv4/IPv6 packet handling vulnerability | High | 5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H | Local |
CVE-2025-37166 enables denial-of-service attacks by sending specially crafted packets that force access points into a non-responsive state, potentially requiring physical hardware resets to restore functionality.
The vulnerability stems from improper packet processing mechanisms and shares the same 7.5 CVSS rating as the information disclosure flaw.
Two additional kernel-level vulnerabilities, CVE-2023-52340 and CVE-2022-48839, affect the underlying operating system’s handling of IPv4 and IPv6 packets.
These flaws could trigger memory corruption and system crashes, with CVSS scores of 7.5 and 5.5, respectively.
Affected Infrastructure and Exploitation Risk
The vulnerabilities specifically affect HPE Networking Instant on Access Points and Aruba Instant On 1930 Switch Series running firmware 3.3.1.0 or earlier.
HPE has confirmed that no other Aruba Networking products are affected by these security flaws.
Security researcher Daniel J Blueman of Quora.org discovered the VLAN exposure vulnerability. At the same time, Petr Chelmar of GreyCortex identified the denial-of-service flaw.
The kernel vulnerabilities were discovered internally by HPE’s Instant On engineering team during security audits.
HPE states it has no evidence of active exploitation in the wild as of the January 13, 2026, advisory publication date.
However, the network-accessible nature of three vulnerabilities and their low attack complexity significantly increases exploitation risk for unpatched devices exposed to internal or external networks.
HPE has released software version 3.3.2.0 that addresses all four vulnerabilities.
The company initiated automatic updates during the week of December 10, 2025, meaning many devices may already have received the security patch.
Organizations should verify their device firmware versions through the Instant On mobile application or web portal and manually trigger updates if automatic patching has not occurred.
No workarounds exist for any of the disclosed vulnerabilities, making immediate patching the only effective mitigation strategy.
Network administrators should prioritize updating devices that handle sensitive network segments or provide critical connectivity services.
HPE recommends reviewing system management and security procedures regularly to maintain infrastructure integrity and protect against similar vulnerabilities in future software releases.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
