-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 HPE Networking Product Security Advisory ============================================== Advisory ID: HPESBNW04988 CVE: CVE-2025-37165, CVE-2025-37166, CVE-2023-52340, CVE-2022-48839 Publication Date: 2026-Jan-13 Status: Confirmed Severity: High Revision: 1 Title ===== Multiple Vulnerabilities in HPE Networking Instant On Devices Overview ======== HPE Networking has released a software patch for HPE Networking Instant On devices that address multiple security vulnerabilities. Affected Products ================= HPE Networking Instant On devices running software version - 3.3.1.0 and below Unaffected Products ================= Any other HPE Networking products not specifically listed above are not affected by these vulnerabilities. Details ======= Exposure of VLAN information in unintended network interfaces (CVE-2025-37165) - --------------------------------------------------------------------- A vulnerability in the router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor could gain knowledge of internal network configuration details through inspecting impacted packets. Internal References: ATLWL-563 Severity: High CVSSv3.1 Overall Score: 7.5 CVSS3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Discovery: This vulnerability was discovered and reported by Daniel J Blueman of Quora.org Workaround: None Unexpected shutdown in HPE Instant On Access Points after processing specific packets (CVE-2025-37166) - --------------------------------------------------------------------- A vulnerability affecting HPE Networking Instant On Access Points has been identified where a device processing a specially crafted packet could enter a non-responsive state, in some cases requiring a hard reset to re-establish services. A malicious actor could leverage this vulnerability to conduct a Denial-of-Service attack on a target network. Internal References: VULN-128 Severity: High CVSS v3.1 Base Score: 7.5 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: This vulnerability was discovered and reported by Petr Chelmar of GreyCortex Workaround: None Multiple vulnerabilities in packet processing identified in underlying OS kernel (CVE-2023-52340, CVE-2022-48839) - --------------------------------------------------------------------- Multiple vulnerabilities in the underlying OS kernel of HPE Networking Instant On devices were identified and resolved upstream by kernel developers. These vulnerabilities primarily stemmed from the processing of IPv4 and IPv6 packets by the OS, which allowed the potential for Denial-of-Service and memory corruption during device operation. Internal References: VULN-150 Severity: High CVSS v3.1 Base Score: 7.5 CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Discovery: These vulnerabilities were discovered by the HPE Instant On engineering team Workaround: None Resolution ========== Upgrade to HPE Networking Instant On software version 3.3.2.0 and above. Please note that Instant On devices started updating automatically during the week of December 10, 2025. No action is required from customers for this to occur, but manual upgrades may be triggered via the Instant On app or web portal after the release date. HPE Networking does not evaluate or patch software branches that have reached their End of Support Life (EoSL) milestone. For more information about HPE Networking products End of Support policy visit: https://hpe.com/psnow/doc/a00143052enw Workaround ========== Vulnerability specific workarounds are listed per vulnerability above. You may contact HPE Services - HPE Networking for assistance if needed. For more information, please visit HPE Aruba Networking Support Portal at https://networkingsupport.hpe.com/home Exploitation and Public Discussion ================================== HPE Networking is not aware of any public discussion or exploit code targeting these specific vulnerabilities as of the release date of the advisory. Revision History ================ Revision 1 / 2026-Jan-13 / Initial release HPE Networking SIRT Security Procedures ============================================== Complete information on reporting security vulnerabilities in HPE Networking products and obtaining assistance with security incidents is available at: http://www.hpe.com/support/security-response-policy For reporting NEW HPE Networking security issues, email can be sent to aruba-sirt@hpe.com. For sensitive information we encourage the use of PGP encryption. Our public keys can be found at: https://www.hpe.com/info/psrt-pgp-key (c) Copyright 2026 by Hewlett Packard Enterprise Development LP. This advisory may be redistributed freely after the release date given at the top of the text, provided that the redistributed copies are complete and unmodified, including all data and version information -----BEGIN PGP SIGNATURE----- iQHLBAEBCAA1FiEEMErWmuZGsYOCo0+xpjMm7I0cE64FAmlf++EXHHNlY3VyaXR5 LWFsZXJ0QGhwZS5jb20ACgkQpjMm7I0cE66OwQv8CQaP8ASlNWbqnnzytFBF8dFd 2Q7PhGxefmiWDf/REblT7yZv0w8F1Nt3dNsrw/Li/J4RoIHR/e/KFGu7CsPX6oos l9W4vecKG9h6e7c0sBFHee8hYBbqRbIDQBIVSW0YX6vxu+D0E16ve7B71le4RLnM yWGW1Z+f7qkIRbRJnTmYOvYr0CtEA/MsBD0ww6HGkPQJ56WQw7eexkj8KSAShae0 K1wmMp/Kl8RqOW45YMMpikWOFtfxitYqR9TYv+f7kAd95nclDbps6kDIkTCIkd3f N74jTSbt5B4+L3FiXXsBHTFnLWOdtXk4fX/WKYfWJ9Wjqm6bAsr+VbhGOfd3Un8G /DBciBGmjYDYfCYHBZuDHRZwze52u0nsUGK0LyzufmUOcDR8W+/3nFtgYkVXR0eb A+Dz2WDGkSZxVGG9B7UNmKWWytvdifze58HQPx/8IT+AlBR0dKUfl2Fzz+nXaLeZ q9MZns/jDJZuyc3LukEeXxAQ+I8AygxrXneI1nC0 =eHuI -----END PGP SIGNATURE-----