Overview

Five HPE products are affected by critical vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute remote code.

Description

HPE Telco Service Orchestrator, HPE OneView, HPE Insight Remote Support (IRS), HPE StoreOnce Software, and HP ThinPro are affected by vulnerabilities tracked as CVE-2025-31651, CVE-2024-38476, CVE-2025-37099, CVE-2025-37093, and CVE-2024-5171 with CVSS scores of 9.8 and 10. The vulnerabilities result from Improper Neutralization of Escape, Meta, or Control Sequences vulnerability, backend applications whose response headers are malicious, a lack of proper validation of a user-supplied path before using it in file operations, improper handling of an authentication algorithm, and an Integer overflow in libaom internal function img_alloc_helper. The vulnerabilities allow a remote attacker to cause a denial of service, code execution, or source code disclosure, information disclosure, server-side request forgery (SSRF), and local script execution on the affected device.

Impact

Successful exploitation of these vulnerabilities may allow the attackers to take control of the affected system.

Solution

HP has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04872en_us&docLocale=en_US
• 2. https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04853en_us&docLocale=en_US
• 3. https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04878en_us&docLocale=en_US
• 4. https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbst04847en_us&docLocale=en_US
• 5. https://support.hp.com/us-en/document/ish_12608099-12608121-16/hpsbhf04027