top of page
Search

Aruba Patches Critical Vulnerabilities in Instant On and Networking Devices

  • Jan 15
  • 2 min read

Key Findings


  • HPE Networking has released critical software patches for vulnerabilities in its Instant On series of access points and routers.

  • The flaws include a high-severity Denial-of-Service (DoS) vulnerability (CVE-2025-37166) that can crash devices, and an information exposure issue (CVE-2025-37165) that could leak network configuration details.

  • The update also addresses legacy kernel-level vulnerabilities (CVE-2023-52340, CVE-2022-48839) that could lead to DoS and memory corruption.

  • Instant On devices started automatically updating during the week of December 1, but users are urged to verify their firmware version to ensure protection.


Background


The Instant On series of access points and routers is a popular SMB networking solution from HPE Networking (formerly Aruba Networks). These devices provide Wi-Fi connectivity and routing capabilities for small and medium-sized businesses.


Denial-of-Service (DoS) Vulnerability


The most severe vulnerability in this batch is CVE-2025-37166, a high-severity flaw (CVSS 7.5) that can render Instant On devices unresponsive. By sending a specially crafted network packet, an attacker can trigger a non-responsive state, potentially requiring a hard reset to restore functionality. This could be leveraged to conduct disruptive DoS attacks against small business networks.


Information Exposure


Another high-severity issue, CVE-2025-37165, affects the router mode configuration and exposes certain network details to unintended interfaces. This could allow a malicious actor to gain knowledge of the internal network, potentially enabling more targeted attacks against the infrastructure.


Legacy Kernel Flaws


The update also addresses two vulnerabilities in the underlying operating system kernel. CVE-2023-52340 and CVE-2022-48839 stemmed from the processing of IPv4 and IPv6 packets, which could lead to DoS and memory corruption.


Patching and Mitigation


HPE Networking has released software version 3.3.2.0 to resolve these issues. The advisory notes that Instant On devices started automatically updating during the week of December 1. However, users are advised to verify their firmware version to ensure they are protected.


For those unable to patch immediately, the advisory recommends restricting access to the CLI and web interfaces to a dedicated VLAN or using strict firewall policies as a temporary mitigation.


Sources


  • https://securityonline.info/hpe-aruba-patches-high-severity-dos-and-data-leak-flaws-in-instant-on-devices/

  • https://securityonline.info/high-severity-flaws-in-hpe-aruba-networking-expose-mobility-controllers-to-attack/

  • https://securityonline.info/details-exposed-high-severity-aruba-via-root-flaw-publicly-disclosed/

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page