CVE-2025-37165
Published: 13 January 2026
Summary
CVE-2025-37165 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Hpe (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique System Network Configuration Discovery (T1016); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
CVE-2025-37165 is a vulnerability in the router mode configuration of HPE Instant On Access Points that exposes certain network configuration details to unintended interfaces. Published on 2026-01-13, it allows inspection of impacted packets to reveal internal network configuration details and is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low complexity and no required privileges.
Any network-accessible malicious actor can exploit this vulnerability remotely without authentication. By capturing and inspecting the affected packets, attackers gain knowledge of internal network configuration details, enabling reconnaissance that could facilitate subsequent targeted attacks, though no direct integrity or availability impacts are possible.
The HPE security advisory provides details on mitigation and patches at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2192
Vulnerability details
A vulnerability in the router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor could gain knowledge of internal network configuration details through inspecting impacted packets.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly leaks internal network configuration details via packet inspection, enabling System Network Configuration Discovery (T1016) without authentication.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the flaw in HPE Instant On Access Points by applying vendor-provided patches that prevent exposure of internal network configuration details to unintended interfaces via impacted packets.
Enforces information flow control policies at managed interfaces to block sensitive network configuration details from reaching unintended interfaces on the access point.
Monitors and controls communications at external boundaries of access points, preventing remote attackers from inspecting packets that expose internal network configuration details.