A critical vulnerability (CVE-2025-37103, CVSS 9.8) in HPE Instant On Access Points allows remote attackers to bypass authentication using hard-coded admin credentials. A related flaw (CVE-2025-37102, CVSS 7.2) enables authenticated command injection, which can be chained with the first to gain full control of the device.

Both vulnerabilities are patched in version 3.2.1.0. Other devices like HPE Instant On Switches are unaffected. No active exploitation has been reported yet, but users are strongly urged to update immediately.

‍