CVE-2025-37103
Published: 08 July 2025
Summary
CVE-2025-37103 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Hpe (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked in the top 25.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).
Deeper analysis
CVE-2025-37103 is a hard-coded credential vulnerability (CWE-798) affecting HPE Networking Instant On Access Points. The flaw embeds static login credentials that bypass normal device authentication mechanisms, enabling unauthorized access to the management interface.
A remote attacker who knows the credentials can exploit the issue over the network without any authentication or user interaction. Successful exploitation grants full administrative control over the affected access points, consistent with the CVSS 9.8 rating reflecting complete confidentiality, integrity, and availability impact.
The referenced HPE advisory at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04894en_us&docLocale=en_US addresses the issue and associated remediation steps. The EPSS score remains low, with a current value of 0.0078 and a peak of 0.0106.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20682
Vulnerability details
Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication. Successful exploitation could allow a remote attacker to gain administrative access to the system.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded credentials directly enable use of valid accounts (T1078) for remote admin access on a public-facing network device, facilitating exploitation via T1190.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates management of authenticators to prohibit hard-coded credentials and require changes to defaults, preventing authentication bypass.
Requires account management processes to disable or remove accounts with hard-coded credentials, blocking unauthorized administrative access.
Ensures timely identification, reporting, and patching of flaws like hard-coded credentials via vendor updates, eliminating the vulnerability.