A newly identified security flaw (CVE-2025-37101) in HPE OneView for VMware vCenter (OV4VC) enables attackers with read-only privileges to execute administrative actions, posing significant risks to virtual infrastructure security.
Rated 8.7 (High severity) on the CVSS v3.1 scale, this vertical privilege escalation vulnerability affects all OV4VC versions before v11.7.
HPE has released patches to address the issue, urging immediate installation to prevent exploitation.
Vulnerability Mechanics and Attack Vectors
The flaw permits authenticated low-privilege users (e.g., operators) to bypass role-based access controls and perform administrative commands.
Attack vectors include:
- Network-based exploitation (AV:N) requiring low attack complexity (AC:L)
- Privilege escalation from operator to admin-level rights
- Potential impact on confidentiality, integrity, and availability through unauthorized configuration changes.
The vulnerability stems from improper access control implementation in OV4VC’s authorization layer, allowing privilege boundary violations without additional authentication.
Affected Products and Mitigation Measures
Impacted versions:
- All HPE OneView for VMware vCenter with Operations Manager and Log Insight deployments before v11.7.
Mitigation protocol:
- Download and install OV4VC v11.7 or later from HPE’s Software Center
- Audit user roles to ensure least-privilege principles
- Monitor authentication logs for anomalous privilege usage.
HPE confirmed no active exploits in the wild but emphasizes urgency due to the vulnerability’s high exploitability.
Broader Security Context
This flaw follows multiple critical vulnerabilities in HPE products:
- StoreOnce (CVE-2025-37093): Authentication bypass (CVSS 9.8)
- OneView (CVE-2024-38475/6): Apache Tomcat flaws (CVSS 9.8)
- OV4VC’s historical weaknesses include XSS (CVE-2021-26584) and command injection flaws (CVE-2023-50274).
Administrators should prioritize patch deployment and review HPE’s security bulletin HPESBGN04876 for technical remediation details.
The convergence of virtualization management and critical infrastructure necessitates rigorous access control validation to prevent supply-chain attacks.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=Rated 8.7 (High severity) on the CVSS v3.1 scale, this vertical privilege escalation vulnerability affects all OV4VC versions before v11.7.){kind=link}