Cyber Resilience

CVE-2025-37103

Critical

Published: 08 July 2025

Published
08 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0078 74.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-37103 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Hpe (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked in the top 25.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2025-37103 is a hard-coded credential vulnerability (CWE-798) affecting HPE Networking Instant On Access Points. The flaw embeds static login credentials that bypass normal device authentication mechanisms, enabling unauthorized access to the management interface.

A remote attacker who knows the credentials can exploit the issue over the network without any authentication or user interaction. Successful exploitation grants full administrative control over the affected access points, consistent with the CVSS 9.8 rating reflecting complete confidentiality, integrity, and availability impact.

The referenced HPE advisory at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04894en_us&docLocale=en_US addresses the issue and associated remediation steps. The EPSS score remains low, with a current value of 0.0078 and a peak of 0.0106.

EU & UK References

Vulnerability details

Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication. Successful exploitation could allow a remote attacker to gain administrative access to the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Hard-coded credentials directly enable use of valid accounts (T1078) for remote admin access on a public-facing network device, facilitating exploitation via T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1393Shared CWE-798
CVE-2025-8857Shared CWE-798
CVE-2025-2538Shared CWE-798
CVE-2026-29023Shared CWE-798
CVE-2026-9139Shared CWE-798
CVE-2025-42890Shared CWE-798
CVE-2020-36911Shared CWE-798
CVE-2026-28255Shared CWE-798
CVE-2026-35503Shared CWE-798
CVE-2024-9334Shared CWE-798

Affected Assets

Hpe
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates management of authenticators to prohibit hard-coded credentials and require changes to defaults, preventing authentication bypass.

prevent

Requires account management processes to disable or remove accounts with hard-coded credentials, blocking unauthorized administrative access.

preventrecover

Ensures timely identification, reporting, and patching of flaws like hard-coded credentials via vendor updates, eliminating the vulnerability.

References