_.png)
![[The AI Show Episode 151]: Anthropic CEO: AI Will Destroy 50% of Entry-Level Jobs, Veo 3’s Scary Lifelike Videos, Meta Aims to Fully Automate Ads & Perplexity’s Burning Cash](https://www.marketingaiinstitute.com/hubfs/ep%20151%20cover.png)
![From electrical engineering student to CTO with Hitesh Choudhary [Podcast #175]](https://cdn.hashnode.com/res/hashnode/image/upload/v1749158756824/3996a2ad-53e5-4a8f-ab97-2c77a6f66ba3.png?#)
.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
_Michael_Vi_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![watchOS 26 May Bring Third-Party Widgets to Control Center [Report]](https://www.iclarified.com/images/news/97520/97520/97520-640.jpg)
![AirPods Pro 2 On Sale for $169 — Save $80! [Deal]](https://www.iclarified.com/images/news/97526/97526/97526-640.jpg)
HPE Insight Remote Support Vulnerability Let Attackers Execute Remote Code
Multiple severe security vulnerabilities in HPE Insight Remote Support (IRS) platform that could allow attackers to execute remote code, traverse directories, and access sensitive information. The vulnerabilities affect versions prior to 7.15.0.646 and pose significant risks to enterprise infrastructure management systems. Critical HPE IRS Remote Execution Vulnerability This critical vulnerability CVE-2025-37099 scored 9.8 on the […] The post HPE Insight Remote Support Vulnerability Let Attackers Execute Remote Code appeared first on Cyber Security News.
Multiple severe security vulnerabilities in HPE Insight Remote Support (IRS) platform that could allow attackers to execute remote code, traverse directories, and access sensitive information.
The vulnerabilities affect versions prior to 7.15.0.646 and pose significant risks to enterprise infrastructure management systems.
Critical HPE IRS Remote Execution Vulnerability
This critical vulnerability CVE-2025-37099 scored 9.8 on the CVSS v3.1 scale uses the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network-based exploitation requiring no privileges or user interaction.
Attackers can exploit this flaw to execute arbitrary commands on unpatched IRS installations, potentially compromising entire enterprise monitoring systems.
The vulnerability stems from improper input validation in IRS’s data processing routines, allowing malicious payloads to bypass security checks. Successful exploitation enables attackers to:
- Deploy ransomware or cryptominers across connected systems.
- Manipulate monitoring data to hide malicious activities.
- Establish persistent backdoors for lateral movement within networks.
HPE confirms this vulnerability was reported through Trend Micro’s Zero Day Initiative , highlighting its appeal to advanced threat actors.
Medium-Severity HPE IRS Flaws
CVE-2025-37097 is a Directory Traversal flaw (CVSS 7.5) that enables attackers to access files outside the IRS’s restricted directories. While rated 7.5, it serves as a critical enabler for follow-on attacks by exposing:
- Configuration files containing credentials for connected devices.
- TLS certificates are used for secure communications.
- System logs reveal network architecture details.
CVE-2025-37098 is a Privileged Information Disclosure (CVSS 6.5). This medium-severity vulnerability allows authenticated users with low privileges to access sensitive system information. The flaw exposes:
- API keys for integrated HPE OneView systems.
- Hardware inventory details of managed servers.
- Firmware versions of connected storage arrays.
While requiring valid credentials, this vulnerability becomes particularly dangerous in compromised environments where attackers have obtained basic access through phishing or credential-stuffing attacks.
CVEs Affected Products Impact Exploit Prerequisites CVSS 3.1 Score CVE-2025-37099 HPE Insight Remote Support <7.15.0.646 Remote Code Execution (RCE) Network access; No authentication 9.8 (Critical) CVE-2025-37097 HPE Insight Remote Support <7.15.0.646 Directory Traversal Network access; No authentication 7.5 (High) CVE-2025-37098 HPE Insight Remote Support <7.15.0.646 Information Disclosure Network access; Low privileges 6.5 (Medium)
Remediation
HPE has released Insight Remote Support version 7.15.0.646 to address all identified vulnerabilities.
The company strongly recommends an immediate upgrade to this version or later releases to mitigate security risks. Organizations should prioritize patching efforts based on the critical CVSS 9.8 rating of CVE-2025-37099.
The embedded software management capability provides automated patch deployment through Administrator Settings > Software Updates.
HPE recommends enabling the “Automatically Download and Install” option from the Automatic Update Level dropdown to ensure continuous security updates.
System administrators should implement additional security measures, including network segmentation, access controls, and monitoring for suspicious activities targeting HPE Insight Remote Support installations.
Regular security assessments and adherence to patch management policies remain essential for maintaining secure enterprise environments.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
The post HPE Insight Remote Support Vulnerability Let Attackers Execute Remote Code appeared first on Cyber Security News.
