Cyber Resilience

CVE-2025-37165

High

Published: 13 January 2026

Published
13 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0004 12.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-37165 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Hpe (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique System Network Configuration Discovery (T1016); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2025-37165 is a vulnerability in the router mode configuration of HPE Instant On Access Points that exposes certain network configuration details to unintended interfaces. Published on 2026-01-13, it allows inspection of impacted packets to reveal internal network configuration details and is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with low complexity and no required privileges.

Any network-accessible malicious actor can exploit this vulnerability remotely without authentication. By capturing and inspecting the affected packets, attackers gain knowledge of internal network configuration details, enabling reconnaissance that could facilitate subsequent targeted attacks, though no direct integrity or availability impacts are possible.

The HPE security advisory provides details on mitigation and patches at https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US.

EU & UK References

Vulnerability details

A vulnerability in the router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor could gain knowledge of internal network configuration details through inspecting impacted packets.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1016 System Network Configuration Discovery Discovery
Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems.
Why these techniques?

Vulnerability directly leaks internal network configuration details via packet inspection, enabling System Network Configuration Discovery (T1016) without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25281Shared CWE-200
CVE-2026-36539Shared CWE-200
CVE-2024-13796Shared CWE-200
CVE-2025-27784Shared CWE-200
CVE-2025-26001Shared CWE-200
CVE-2026-42826Shared CWE-200
CVE-2025-24232Shared CWE-200
CVE-2026-4712Shared CWE-200
CVE-2024-48125Shared CWE-200
CVE-2025-25975Shared CWE-200

Affected Assets

Hpe
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the flaw in HPE Instant On Access Points by applying vendor-provided patches that prevent exposure of internal network configuration details to unintended interfaces via impacted packets.

prevent

Enforces information flow control policies at managed interfaces to block sensitive network configuration details from reaching unintended interfaces on the access point.

prevent

Monitors and controls communications at external boundaries of access points, preventing remote attackers from inspecting packets that expose internal network configuration details.

References