HPE Aruba Flaws Allow Unauthorized Access to Sensitive Data

Hewlett Packard Enterprise has disclosed four high-severity vulnerabilities in its Aruba Networking Instant On devices that could allow attackers to access sensitive network information, disrupt services, and potentially cause memory corruption.

The security flaws, identified as CVE-2025-37165, CVE-2025-37166, CVE-2023-52340, and CVE-2022-48839, affect devices running software version 3.3.1.0 and earlier.

The vulnerabilities have CVSS scores ranging from 5.5 to 7.5, and three of them are classified as high severity. HPE released software version 3.3.2.0 to address these issues, and automatic updates began during the week of December 10, 2025.

Organizations using affected Instant On access points and switches should check their firmware versions and ensure the devices have received the security patch.

Technical details of the vulnerabilities

The most critical vulnerability, CVE-2025-37165, exposes VLAN configuration information via unwanted network interfaces when…