HPE OneView for VMware vCenter Allows Escalation of Privileges
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
A significant security vulnerability in Hewlett-Packard Enterprise OneView for VMware vCenter (OV4VC) platform that could allow attackers with limited access to escalate their privileges to administrative levels.
The vulnerability, tracked as CVE-2025-37101, affects all versions of the software prior to version 11.7 and carries a high CVSS severity score of 8.7, indicating a substantial risk to enterprise environments.
Summary
1.HPE OneView for VMware vCenter has a privilege escalation flaw (CVE-2025-37101) allowing read-only users to gain admin access.
2. The flaw affects all versions before v11.7, compromising system integrity and availability.
3. All HPE OneView deployments with Operations Manager and Log Insight are vulnerable to unauthorized access.
4. Immediately upgrade to v11.7 or later from My HPE Software Center to eliminate the security risk.
Vertical Privilege Escalation Flaw
The security flaw enables what cybersecurity experts term “Vertical Privilege Escalation,” where an attacker possessing only read-only privileges can exploit the vulnerability to perform administrative actions typically reserved for users with elevated permissions.
According to HPE’s Product Security Response Team, this vulnerability could be exploited by malicious actors who have already gained initial access to the system with limited privileges.
The vulnerability is classified under the Common Vulnerability Scoring System (CVSS) Version 3.1 with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H.
This technical notation indicates that the attack can be executed over a network with low complexity, requires low-level privileges, and involves user interaction, while potentially causing high impact to both the integrity and availability of the affected systems.
The vulnerability targets explicitly HPE OneView for VMware vCenter with Operations Manager and Log Insight components, making it particularly concerning for enterprises relying on HPE’s infrastructure management solutions.
The ability for operators to perform admin actions through privilege escalation presents significant security risks, potentially allowing unauthorized configuration changes, data access, or system disruption.
Enterprise security teams should be particularly concerned about this vulnerability given its 8.7 CVSS base score, which places it in the “High” severity category.
Risk Factors Details Affected ProductsHPE OneView for VMware vCenter with Operations Manager and Log Insight – All versions prior to v11.7ImpactLocal Elevation of PrivilegeExploit Prerequisites– Network access to the system- Low-level privileges (read-only access)- User interaction required- Low attack complexityCVSS 3.1 Score8.7 (High)
Patch Available
HPE has released a comprehensive fix for this security issue through HPE OneView for VMware vCenter v11.7, which addresses the privilege escalation vulnerability.
Organizations currently running affected versions should prioritize updating to this latest release, available through the My HPE Software Center portal.
IT administrators should implement the patch immediately to prevent potential exploitation of this vulnerability in production environments.
Security experts recommend that organizations audit their current HPE OneView deployments and expedite the upgrade process, particularly in environments where multiple users have varying levels of system access.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
HPE OneView for VMware vCenter Allows Escalation of Privileges
Author: KaaviyaA significant security vulnerability in Hewlett-Packard Enterprise OneView for VMware vCenter (OV4VC) platform that could allow attackers with limited access to escalate their privileges to administrative levels.
The vulnerability, tracked as CVE-2025-37101, affects all versions of the software prior to version 11.7 and carries a high CVSS severity score of 8.7, indicating a substantial risk to enterprise environments.
Summary
1.HPE OneView for VMware vCenter has a privilege escalation flaw (CVE-2025-37101) allowing read-only users to gain admin access.
2. The flaw affects all versions before v11.7, compromising system integrity and availability.
3. All HPE OneView deployments with Operations Manager and Log Insight are vulnerable to unauthorized access.
4. Immediately upgrade to v11.7 or later from My HPE Software Center to eliminate the security risk.
Vertical Privilege Escalation Flaw
The security flaw enables what cybersecurity experts term “Vertical Privilege Escalation,” where an attacker possessing only read-only privileges can exploit the vulnerability to perform administrative actions typically reserved for users with elevated permissions.
According to HPE’s Product Security Response Team, this vulnerability could be exploited by malicious actors who have already gained initial access to the system with limited privileges.
The vulnerability is classified under the Common Vulnerability Scoring System (CVSS) Version 3.1 with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H.
This technical notation indicates that the attack can be executed over a network with low complexity, requires low-level privileges, and involves user interaction, while potentially causing high impact to both the integrity and availability of the affected systems.
The vulnerability targets explicitly HPE OneView for VMware vCenter with Operations Manager and Log Insight components, making it particularly concerning for enterprises relying on HPE’s infrastructure management solutions.
The ability for operators to perform admin actions through privilege escalation presents significant security risks, potentially allowing unauthorized configuration changes, data access, or system disruption.
Enterprise security teams should be particularly concerned about this vulnerability given its 8.7 CVSS base score, which places it in the “High” severity category.
Risk Factors Details Affected ProductsHPE OneView for VMware vCenter with Operations Manager and Log Insight – All versions prior to v11.7ImpactLocal Elevation of PrivilegeExploit Prerequisites– Network access to the system- Low-level privileges (read-only access)- User interaction required- Low attack complexityCVSS 3.1 Score8.7 (High)
Patch Available
HPE has released a comprehensive fix for this security issue through HPE OneView for VMware vCenter v11.7, which addresses the privilege escalation vulnerability.
Organizations currently running affected versions should prioritize updating to this latest release, available through the My HPE Software Center portal.
IT administrators should implement the patch immediately to prevent potential exploitation of this vulnerability in production environments.
Security experts recommend that organizations audit their current HPE OneView deployments and expedite the upgrade process, particularly in environments where multiple users have varying levels of system access.
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
