Critical RCE Flaw Found in HPE Insight Remote Support Tool

Hewlett-Packard Enterprise (HPE) has released a critical security bulletin addressing multiple high-impact vulnerabilities in its Insight Remote Support (IRS) software, versions prior to 7.15.0.646.

These flaws, identified by external researchers and disclosed to HPE, could allow remote attackers to execute arbitrary code, traverse directories, and exfiltrate sensitive information from affected systems.

Technical Breakdown of Vulnerabilities

The vulnerabilities are tracked as CVE-2025-37097, CVE-2025-37098, and CVE-2025-37099, with CVSS base scores ranging from 6.5 to 9.8, indicating high to critical severity.

Here’s a technical overview of the primary attack vectors:

• Directory Traversal & Remote Code Execution (RCE):
  • The IRS service’s file upload mechanism, specifically the processAtatchmentDataStream method in DataPackageReceiverWebSvcHelperFails to properly validate the attachmentName parameter. This allows attackers to use directory traversal sequences (e.g., ../../) to write files outside the intended directory, potentially placing malicious web shells in executable paths ...