Critical HPE Aruba Flaws Allow Unauthorized Access to Data

Hewlett Packard Enterprise (HPE) has disclosed four high-severity vulnerabilities affecting its Aruba Networking Instant On devices. If exploited, these flaws could grant attackers unauthorized access to sensitive network information and enable them to disrupt operations.

The security flaws, identified as CVE-2025-37165, CVE-2025-37166, CVE-2023-52340, and CVE-2022-48839, affect devices running software version 3.3.1.0 and earlier.

Vulnerability Details and Risk Assessment

The most critical vulnerability, CVE-2025-37165, exposes VLAN configuration details through unintended network interfaces when devices operate in router mode.

Attackers can inspect affected packets to learn about the internal network topology and configuration settings.

This information disclosure flaw carries a CVSS v3.1 score of 7.5 and requires no authentication to exploit.

CVE-2025-37166 enables denial-of-service attacks by sending specially crafted packets that force access points into a non-responsive state, potentially requiring physical hardware resets to restore functionality.

The vulnerability stems from improper packet processing mechanisms and shares the same 7.5 CVSS rating as the information disclosure flaw.

Two additional kernel-level vulnerabilities, CVE-2023-52340 and CVE-2022-48839, affect the underlying operating system’s handling of IPv4 and IPv6 packets.

These flaws could trigger memory corruption and system crashes, with CVSS scores of 7.5 and 5.5, respectively.

Affected Infrastructure and Exploitation Risk

The vulnerabilities specifically affect HPE Networking Instant on Access Points and Aruba Instant On 1930 Switch Series running firmware 3.3.1.0 or earlier.

HPE has confirmed that no other Aruba Networking products are affected by these security flaws.

Security researcher Daniel J Blueman of Quora.org discovered the VLAN exposure vulnerability. At the same time, Petr Chelmar of GreyCortex identified the denial-of-service flaw.

The kernel vulnerabilities were discovered internally by HPE’s Instant On engineering team during security audits.

HPE states it has no evidence of active exploitation in the wild as of the January 13, 2026, advisory publication date.

However, the network-accessible nature of three vulnerabilities and their low attack complexity significantly increases exploitation risk for unpatched devices exposed to internal or external networks.

HPE has released software version 3.3.2.0 that addresses all four vulnerabilities.

The company initiated automatic updates during the week of December 10, 2025, meaning many devices may already have received the security patch.

Organizations should verify their device firmware versions through the Instant On mobile application or web portal and manually trigger updates if automatic patching has not occurred.

No workarounds exist for any of the disclosed vulnerabilities, making immediate patching the only effective mitigation strategy.

Network administrators should prioritize updating devices that handle sensitive network segments or provide critical connectivity services.

HPE recommends reviewing system management and security procedures regularly to maintain infrastructure integrity and protect against similar vulnerabilities in future software releases.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.