The advisory provides that any third get together safety patches which can be to be put in on methods working HPE software program merchandise needs to be utilized in accordance with the shopper’s patch administration coverage.
Requested for remark, an HPE spokesperson stated the corporate has nothing to say past its advisory, apart from to induce admins to obtain and set up the patches as quickly as doable.
Jack Bicer, director of vulnerability analysis at Action1, stated that as a result of this vulnerability may be exploited with out authentication or any consumer interplay, it’s “an especially extreme safety concern. There are not any out there workarounds, so the patch needs to be utilized instantly. Till the patch may be utilized, prohibit community entry to the OneView administration interface to trusted administrative networks solely.”
HPE describes OneView as an answer that simplifies infrastructure lifecycle administration throughout compute storage and networking by way of a unified API. It permits admins to create a list of workload-optimized infrastructure templates so extra common IT employees can quickly and reliably provision assets. These templates can rapidly provision bodily, digital, and containerized methods, organising BIOS settings, native RAID configuration, firmware baseline, shared storage and extra. HPE says software-defined intelligence permits IT to run a number of purposes concurrently with repeatable templates that guarantee excessive reliability, consistency, and management. The seller additionally says the embedded automation speeds provisioning and lowers working bills.
The latest main vulnerability in OneView was revealed in June: CVE-2025-37101, an area elevation of privilege concern which relates particularly to OneView for VMware vCenter. If exploited, an attacker with learn solely privilege may improve their entry to permit them to carry out admin actions.
This text initially appeared on CSOonline.
