How do you fix HPE Aruba Instant On 1930 and AP vulnerabilities (CVE-2025-37165/37166) by updating to firmware 3.3.2?

Is your Instant On firmware older than 3.3.1.0 putting your network at risk—and what should you update first?

HPE has published a security advisory for Instant On access points and Instant On 1930 switches. If these devices run firmware versions up to 3.3.1.0, they are affected by multiple vulnerabilities with reported CVSS 7.5 severity. The vendor disclosure date is January 13, 2025, and the practical takeaway is simple: update to firmware 3.3.2 or newer as soon as your change window allows.

What’s affected

The advisory applies to these product lines when they run software versions ≤3.3.1.0:

• Aruba Instant On 1930 Switch Series ≤3.3.1.0
• HPE Networking Instant On Access Points ≤3.3.1.0

If you manage multiple sites, treat “firmware drift” as the main risk. One older device can become the weak point that an attacker targets.

What the vulnerabilities mean in plain language

The advisory groups the issues into information exposure and packet-handling weaknesses that can lead to denial-of-service and, in some cases, unsafe memory behavior. Here is what each CVE implies for day-to-day network operations.

CVE-2025-37165 (Access Points, router mode)VLAN info exposure

Some network configuration details can appear on unintended interfaces. That can help an attacker map internal segmentation and VLAN design. Mapping does not equal full compromise, but it reduces attacker effort and increases the chance of follow-on attacks.

CVE-2025-37166 (Access Points): crafted packet can cause non-responsive state

A specially crafted packet can make an access point stop responding. Recovery may require a hard reset. In operational terms, this is a reliability and uptime risk that can interrupt Wi‑Fi service and business workflows.

CVE-2023-52340 and CVE-2022-48839 (Underlying OS kernel): packet processing flaws

These are upstream kernel vulnerabilities related to IPv4/IPv6 packet handling. The impact described includes denial-of-service and possible memory corruption. Memory corruption issues raise the security stakes because they can sometimes be chained into more serious outcomes, even when the initial write-up emphasizes stability.

HPE also states it is not aware of public exploit code or active public exploitation for these specific issues at the time of the advisory. That reduces immediate “wormable” fear, but it should not delay patching. Public awareness tends to increase attacker interest over time.

What to do now (minimum steps that hold up in audits)

1. Inventory Instant On APs and 1930 switches and record current firmware versions.
2. Prioritize any device that is internet-exposed or reachable from untrusted networks, including guest VLANs.
3. Schedule an update to firmware 3.3.2 or newer for all impacted devices.
4. After updating, confirm:
   • Firmware version matches your target baseline
   • Devices rejoin management cleanly
   • WLAN service and switch uplinks remain stable
5. Keep a simple change record: date, site, device count, firmware version before/after, and validation notes. That documentation supports E‑E‑A‑T expectations for IT operations content and helps with internal reviews.

Risk notes worth stating in your internal comms

• This is not just “a bug fix.” It includes issues that can expose configuration details and disrupt service availability.
• DoS on Wi‑Fi access points can look like “random instability,” so upgrading can also reduce troubleshooting time.
• Patch consistency matters more than patch speed across one device. A uniform baseline closes the easy gaps.

Where to get updates

Firmware updates for Instant On 1930 switches are provided by HPE on its download site referenced in the security advisory. Use the vendor-recommended release that meets or exceeds 3.3.2, and follow your normal maintenance window process.