Ddos 
HPE Networking has released a critical software patch for its popular Instant On series of access points and routers, addressing a trio of high-severity vulnerabilities that could allow attackers to crash networks or peek into internal configurations.
The advisory warns that devices running software version 3.3.1.0 and below are vulnerable to Denial-of-Service (DoS) attacks and information exposure.
The most disruptive flaw in the batch is CVE-2025-37166, a high-severity vulnerability (CVSS 7.5) that can knock access points offline. The issue stems from how the devices handle specific network traffic.
According to the advisory, “a device processing a specially crafted packet could enter a non-responsive state, in some cases requiring a hard reset to re-establish services”.
For small businesses relying on Instant On for connectivity, this means a malicious actor could “leverage this vulnerability to conduct a Denial-of-Service attack on a target network,” effectively shutting down operations until a manual reboot is performed.
Privacy is also at risk due to CVE-2025-37165, another high-severity flaw affecting the router mode configuration. This vulnerability “exposed certain network configuration details to unintended interfaces,” potentially giving attackers a roadmap of the internal network.
“A malicious actor could gain knowledge of internal network configuration details through inspecting impacted packets,” the report states. This intelligence could be used to craft more targeted attacks against the network infrastructure.
The update also cleans up legacy issues in the underlying operating system kernel (CVE-2023-52340, CVE-2022-48839). These flaws “stemmed from the processing of IPv4 and IPv6 packets by the OS, which allowed the potential for Denial-of-Service and memory corruption during device operation”.
HPE Networking has released software version 3.3.2.0 to resolve these issues. The good news for many administrators is that the patching process may already be underway; the advisory notes that “Instant On devices started updating automatically during the week of December 1”. However, users are urged to verify their firmware version to ensure they are protected.
Related Posts:
- CVSS 9.8 Vulnerabilities Expose Aruba Access Points to RCE: HPE Urges Immediate Action
- Perplexity Launches AI Shopping with PayPal Instant Buy & Personalized Product Search
- OpenAI Launches Instant Checkout in ChatGPT, Teaming with Stripe to Reshape E-commerce
- CVSS 9.8 Alert: Critical Flaws in HPE Insight Remote Support Enable RCE & File Access
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
