"HPE Insight Remote Support CVE-2025-37099 (CVSS 9.8): Unauthenticated RCE — Upgrade to 7.15.0.646"

HPE Insight Remote Support (IRS) is the agent many organizations run to send telemetry and support cases back to HPE for ProLiant, Alletra, StoreOnce, and other infrastructure. Because it sits inside your environment, talks to your hardware, and often runs with high privilege, a vulnerability in IRS is worth treating seriously. In June 2025, HPE disclosed three flaws in IRS, including a maximum-impact unauthenticated remote code execution bug, CVE-2025-37099. All three are fixed in the same release. This post lays out what is confirmed by the advisories, who is affected, and how to remediate.
What happened
HPE published a security bulletin covering three vulnerabilities in HPE Insight Remote Support. The most severe, CVE-2025-37099, allows a remote, unauthenticated attacker to execute arbitrary code on the host running IRS. According to the Zero Day Initiative advisory (ZDI-25-325), the root cause is a lack of proper validation of a user-supplied path in the processAttachmentDataStream method before it is used in a file operation — a directory-traversal condition that leads to code execution. NVD classifies the issue as CWE-94 (code injection) and confirms the unauthenticated, network-reachable attack path.
The two companion issues, CVE-2025-37097 and CVE-2025-37098, are lower severity but worth patching in the same maintenance window since they are fixed by the same update.
The flaws were reported to HPE through Trend Micro's Zero Day Initiative and Tenable. HPE released the fixed build, IRS v7.15.0.646, on June 4, 2025.
Affected products and versions
The advisory scopes all three CVEs to HPE Insight Remote Support running a version prior to 7.15.0.646. The remediation is the same single upgrade for all three.
| Product | Affected | Fixed |
|---|---|---|
| HPE Insight Remote Support (IRS) | All versions prior to v7.15.0.646 | v7.15.0.646 and later |
Note that IRS is a Windows-hosted application; successful exploitation of CVE-2025-37099 yields SYSTEM-level access on the host. The advisory does not enumerate older branch-specific builds — the guidance is simply to move to 7.15.0.646 or newer.
How serious is it
- CVE-2025-37099 — Remote code execution. CVSS 3.1 base score 9.8 (Critical), vector
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Network-reachable, no authentication, no user interaction. This is the one to prioritize. - CVE-2025-37097 — Denial of service. CVSS 3.1 base score 7.5 (High), unauthenticated. Per NVD, this can cause a denial-of-service condition.
- CVE-2025-37098 — Path traversal / disclosure. CVSS 3.1 base score 7.5 (High) per NVD, vector
C:H/I:N/A:N, classified as CWE-22 (path traversal) with a confidentiality impact.
A note on sources: NVD and the ZDI advisory are the authoritative references and are what we cite for scores and mechanism. Some secondary news write-ups characterize CVE-2025-37099 as a Java deserialization bug and assign CVE-2025-37098 a lower CVSS — those details are not what the primary advisories state, so we have used the vendor/NVD/ZDI descriptions.
Exploitation status: As of this writing, CVE-2025-37099 is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, and we found no confirmed reports of active in-the-wild exploitation. It was responsibly disclosed through ZDI. That is good news, but a CVSS 9.8 unauthenticated RCE in a widely deployed support agent is exactly the kind of flaw that attracts attention once details and patches are public, so the absence of known exploitation is not a reason to delay patching.
Am I exposed?
Ask three questions:
- Do you run HPE Insight Remote Support at all? Many shops install it during initial hardware deployment and forget it. Check your management/jump servers and any host registered to relay support cases to HPE.
- What version is it? In the IRS console, confirm the build. Anything below 7.15.0.646 is affected by all three CVEs.
- Is it reachable? CVE-2025-37099 is exploitable over the network without credentials. The risk is highest where the IRS host is reachable from broad internal segments or, worse, anything internet-adjacent. IRS should never be exposed to the public internet.
If you are unsure whether IRS is even running, inventory your HPE-adjacent Windows hosts for the Insight Remote Support service before assuming you are clear.
How to fix it
Primary remediation: Upgrade HPE Insight Remote Support to v7.15.0.646 or later. This single release remediates CVE-2025-37099, CVE-2025-37097, and CVE-2025-37098. Download the build from the HPE Support Center and follow HPE's standard IRS upgrade procedure. There is no partial fix — patching is the supported resolution.
Interim mitigations (until you can patch, not as a substitute for it):
- Restrict network reach. Limit inbound access to the IRS host to only the management addresses that must reach it; place it behind segmentation/firewall rules. Confirm it is not exposed to the internet.
- Monitor the host. Watch for unexpected processes, file writes outside expected directories, and outbound connections from the IRS server, given the path-traversal-to-code-execution nature of the flaw.
- Plan the upgrade window now. Because the same build closes all three issues, there is no reason to stage them separately.
After upgrading, verify the reported version in the IRS console and re-test that telemetry/case submission to HPE still functions.
How Uniqcli helps
Uniqcli is an authorized reseller of HPE, HPE Aruba Networking, and HPE Juniper Networking, and we work with federal, SLED, healthcare, and enterprise customers who run this exact software stack. We can:
- Assess exposure. Help you inventory where IRS is deployed across your HPE estate and confirm which hosts are below 7.15.0.646.
- Support the upgrade. Coordinate the IRS update and validate that remote support telemetry continues to flow afterward, with minimal disruption.
- Source patched and replacement hardware. If this advisory is the nudge to refresh aging infrastructure or right-size your management tooling, we can quote current, fully supported HPE platforms.
- Procure the right way. We support compliant acquisition through TAA-compliant, GSA Schedule, and NASA SEWP vehicles for public-sector buyers, plus enterprise terms for commercial customers.
If you would like help confirming your IRS version or planning the upgrade, reach out to Uniqcli and we will walk through it with your team.
Sources
- HPE Security Bulletin — HPE Insight Remote Support (IRS), Multiple Vulnerabilities (hpesbgn04878en_us)
- NVD — CVE-2025-37099
- NVD — CVE-2025-37097
- NVD — CVE-2025-37098
- Zero Day Initiative — ZDI-25-325 (CVE-2025-37099)
- CyberPress — Critical HPE Insight Remote Support Vulnerabilities Enable Remote Code Execution
- CyberSecurityNews — HPE Insight Remote Support Vulnerability Lets Attackers Execute Remote Code
- CISA — Known Exploited Vulnerabilities Catalog