Cyber Posture

CVE-2025-37103

Critical

Published: 08 July 2025

Published
08 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0078 73.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-37103 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Hpe (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked in the top 26.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Valid Accounts (T1078) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

Directly mandates management of authenticators to prohibit hard-coded credentials and require changes to defaults, preventing authentication bypass.

AC-2 Account Management good match
prevent

Requires account management processes to disable or remove accounts with hard-coded credentials, blocking unauthorized administrative access.

SI-2 Flaw Remediation good match
preventrecover

Ensures timely identification, reporting, and patching of flaws like hard-coded credentials via vendor updates, eliminating the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Hard-coded credentials directly enable use of valid accounts (T1078) for remote admin access on a public-facing network device, facilitating exploitation via T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Hard-coded login credentials were found in HPE Networking Instant On Access Points, allowing anyone with knowledge of it to bypass normal device authentication. Successful exploitation could allow a remote attacker to gain administrative access to the system.

Deeper analysisAI

CVE-2025-37103 involves hard-coded login credentials discovered in HPE Networking Instant On Access Points. This vulnerability, classified under CWE-798 (Use of Hard-coded Credentials), enables bypassing standard device authentication mechanisms. It affects the specified HPE access point devices and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

A remote attacker with knowledge of the hard-coded credentials can exploit this vulnerability over the network. Exploitation requires low complexity, no prior privileges, and no user interaction, allowing the attacker to gain full administrative access to the affected system.

Mitigation details are available in the HPE security advisory at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04894en_us&docLocale=en_US.

Details

CWE(s)
CWE-798

Affected Products

Hpe
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-1393Shared CWE-798
CVE-2025-8857Shared CWE-798
CVE-2025-2538Shared CWE-798
CVE-2026-29023Shared CWE-798
CVE-2025-11126Shared CWE-798
CVE-2024-9334Shared CWE-798
CVE-2020-36911Shared CWE-798
CVE-2026-28255Shared CWE-798
CVE-2026-27073Shared CWE-798
CVE-2026-32834Shared CWE-798

References