Hewlett Packard Enterprise (HPE) has issued a critical security bulletin disclosing three vulnerabilities in its Insight Remote Support (IRS) software, including a maximum-severity flaw enabling remote code execution (CVE-2025-37099).
The vulnerabilities, affecting versions prior to 7.15.0.646, could allow attackers to traverse directories, leak sensitive information, or execute arbitrary commands on unpatched systems.
HPE urges immediate updating to IRS v7.15.0.646, released on June 4, 2025, to mitigate risks of external exploitation.
The vulnerabilities were reported by Tenable and an anonymous researcher via Trend Micro’s Zero Day Initiative (ZDI).
The vulnerabilities pose distinct risks, with CVE-2025-37099 standing out as the most severe. Rated 9.8 on the CVSS v3.1 scale, this flaw allows unauthenticated attackers to execute arbitrary code remotely through network-based attacks without requiring user interaction.
Its exploitability stems from inadequate input validation in IRS’s handling of specific service requests, enabling malicious payload delivery.
CVE-2025-37097 and CVE-2025-37098, though less severe, present significant operational threats. The former (CVSS 7.5) triggers denial-of-service conditions via crafted network packets, while the latter (CVSS 6.5) permits authenticated attackers to access sensitive configuration data.
Combined, these flaws create attack chains where adversaries could first extract system information via CVE-2025-37098 before launching destructive payloads through the critical RCE vulnerability.
HPE’s advisory emphasizes that all three vulnerabilities reside in IRS’s communication protocols, which manage automated support ticket generation and hardware monitoring.
Compromising these components could enable lateral movement across enterprise networks, particularly in environments where IRS integrates with HPE’s OneView or iLO management controllers.
HPE Vulnerabilities
CVE-2025-37099’s attack vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates full network accessibility with no privilege requirements.
Attackers exploit improper deserialization in IRS’s Java-based services, injecting malicious objects that bypass sandbox restrictions.
Successful exploitation grants SYSTEM-level privileges on Windows hosts or root access on Linux deployments.
Directory traversal via CVE-2025-37097 occurs when IRS processes specially crafted filenames containing “../” sequences, allowing unauthorized access to files outside the designated support bundle directory.
While HPE rates this as a medium-severity issue (CVSS 7.5), security analysts warn that combining it with privilege escalation bugs could expose credential stores or TLS certificates.
The information disclosure vulnerability (CVE-2025-37098) stems from improper session token handling in IRS’s web interface.
Authenticated users—including low-privilege operators—can manipulate API endpoints to retrieve administrative credentials stored in memory.
Though requiring valid user credentials, this vulnerability drastically reduces the attack surface for lateral movement post-initial access.
Mitigations
HPE has addressed these vulnerabilities in IRS v7.15.0.646 through improved input sanitization and session management protocols. Administrators should immediately:
- Navigate to Administrator Settings > Software Updates
- Select Automatically Download and Install from the Automatic Update Level dropdown
- Confirm installation of build 7.15.0.646 or newer
For air-gapped systems, HPE provides manual patch bundles through its support portal, requiring validation of cryptographic hashes before deployment.
The company also recommends auditing IRS log files (accessible via Monitoring > Event Logs) for signs of exploitation attempts, particularly unexpected service restarts or unauthorized configuration changes.
Organizations unable to immediately patch should restrict network access to IRS instances using firewall rules and segment management interfaces from general enterprise networks.
These vulnerabilities underscore the criticality of maintaining updated support infrastructure in hybrid IT environments.
With IRS serving as a nexus for hardware telemetry across HPE ecosystems, timely patching prevents cascading breaches affecting servers, storage arrays, and network appliances.
Security teams should cross-reference these advisories with recent MITRE ATT&CK framework updates, particularly techniques T1190 (Exploit Public-Facing Application) and T1210 (Exploitation of Remote Services).
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.png?resize=1068,580&ssl=1&description=Hewlett Packard Enterprise (HPE) has issued a critical security bulletin disclosing three vulnerabilities in its Insight Remote Support (IRS) software.){kind=link}