Hewlett Packard Enterprise (HPE) has disclosed 4 high-severity vulnerabilities in its Aruba Networking Immediate On units that would enable attackers to entry delicate community info and disrupt operations.
The safety flaws, recognized as CVE-2025-37165, CVE-2025-37166, CVE-2023-52340, and CVE-2022-48839, have an effect on units working software program model 3.3.1.0 and earlier.
Vulnerability Particulars and Threat Evaluation
Essentially the most important vulnerability, CVE-2025-37165, exposes VLAN configuration particulars by unintended community interfaces when units function in router mode.
Attackers can examine affected packets to study in regards to the inside community topology and configuration settings.
This info disclosure flaw carries a CVSS v3.1 rating of seven.5 and requires no authentication to use.
CVE IDDescriptionSeverityCVSS ScoreVectorAttack VectorCVE-2025-37165VLAN info publicity in router modeHigh7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NNetworkCVE-2025-37166DoS through crafted packets inflicting machine shutdownHigh7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HNetworkCVE-2023-52340Kernel packet processing reminiscence corruptionHigh7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HNetworkCVE-2022-48839IPv4/IPv6 packet dealing with vulnerabilityHigh5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HLocal
CVE-2025-37166 permits denial-of-service assaults by sending specifically crafted packets that pressure entry factors right into a non-responsive state, probably requiring bodily {hardware} resets to revive performance.
The vulnerability stems from improper packet processing mechanisms and shares the identical 7.5 CVSS score as the data disclosure flaw.
Two extra kernel-level vulnerabilities, CVE-2023-52340 and CVE-2022-48839, have an effect on the underlying working system’s dealing with of IPv4 and IPv6 packets.
These flaws might set off reminiscence corruption and system crashes, with CVSS scores of seven.5 and 5.5, respectively.
Affected Infrastructure and Exploitation Threat
The vulnerabilities particularly have an effect on HPE Networking Immediate on Entry Factors and Aruba Immediate On 1930 Change Collection working firmware 3.3.1.0 or earlier.
HPE has confirmed that no different Aruba Networking merchandise are affected by these safety flaws.
Safety researcher Daniel J Blueman of Quora.org found the VLAN publicity vulnerability. On the identical time, Petr Chelmar of GreyCortex recognized the denial-of-service flaw.
The kernel vulnerabilities have been found internally by HPE’s Immediate On engineering staff throughout safety audits.
HPE states it has no proof of lively exploitation within the wild as of the January 13, 2026, advisory publication date.
Nevertheless, the network-accessible nature of three vulnerabilities and their low assault complexity considerably will increase exploitation danger for unpatched units uncovered to inside or exterior networks.
HPE has launched software program model 3.3.2.0 that addresses all 4 vulnerabilities.
The corporate initiated automated updates in the course of the week of December 10, 2025, that means many units might have already got acquired the safety patch.
Organizations ought to confirm their machine firmware variations by the Immediate On cellular utility or net portal and manually set off updates if automated patching has not occurred.
No workarounds exist for any of the disclosed vulnerabilities, making speedy patching the one efficient mitigation technique.
Community directors ought to prioritize updating units that deal with delicate community segments or present important connectivity providers.
HPE recommends reviewing system administration and safety procedures repeatedly to take care of infrastructure integrity and shield towards related vulnerabilities in future software program releases.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
