HPE OneView for VMware vCenter Vulnerability Allows Elevated Access
Hewlett Packard Enterprise (HPE) has issued a critical security bulletin warning customers of a significant vulnerability in its OneView for VMware vCenter (OV4VC) software.
The flaw, tracked as CVE-2025-37101, could allow attackers with only read-only privileges to escalate their access and perform administrative actions, putting enterprise IT environments at risk.
Vulnerability Overview
The vulnerability, detailed in HPE’s security bulletin HPESBGN04876 rev.1, affects all versions of HPE OneView for VMware vCenter with Operations Manager and Log Insight prior to version 11.7.
According to HPE, a local attacker with read-only access can exploit this flaw to gain elevated privileges, effectively allowing them to execute administrative functions without proper authorization.
This type of vertical privilege escalation is particularly dangerous, as it could enable unauthorized changes to critical infrastructure, data exposure, or service disruption.
HPE has assigned a CVSS v3.1 base score of 8.7 (High) to this vulnerability, reflecting its potential impact and ease of exploitation.
The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H, indicating that the attack can be carried out locally, requires low complexity, and has a high impact on integrity and availability.
| Field | Data |
| CVE ID | CVE-2025-37101 |
| Affected Product | HPE OneView for VMware vCenter (OV4VC) |
| Impacted Versions | All versions prior to v11.7 |
| Vulnerability Type | Local Elevation of Privilege (Vertical Privilege Escalation) |
| CVSS v3.1 Base Score | 8.7 |
HPE strongly recommends that all customers using affected versions upgrade to OneView for VMware vCenter v11.7 or later as soon as possible.
The update is available through the My HPE Software Center. Applying this patch is the only confirmed way to mitigate the vulnerability and protect systems from potential exploitation.
For organizations unable to upgrade immediately, HPE advises reviewing user permissions and monitoring systems for unusual activity.
Customers are also encouraged to follow their standard patch management policies for third-party software and to contact HPE support for further assistance.
HPE has provided contact channels for customers who need help implementing the patch or have questions about the vulnerability.
This high-severity vulnerability highlights the importance of timely patching and proactive security management in enterprise IT environments.
Organizations using HPE OneView for VMware vCenter should act quickly to secure their infrastructure and prevent potential breaches.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
