What is the CVSS score of CVE-2025-37101?

CVE-2025-37101 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of VMware are affected by CVE-2025-37101?

HPE OneView for VMware vCenter (OV4VC) contains a privilege escalation vulnerability (CVSS 8.7) that allows read-only users to escalate their access and perform administrative actions, potentially…. A patch is available.

How to fix or mitigate CVE-2025-37101?

Within 24 hours: Identify all HPE OneView for VMware vCenter deployments and document current versions. Within 7 days: Contact HPE for specific patched version availability and test in non-production environment. Within 30 days: Apply vendor-released patch to all OV4VC instances and verify privilege separation is properly enforced post-update.

VMware CVE-2025-37101

EUVD-2025-19250 HIGH

Improper Privilege Management (CWE-269)

2025-06-26 security-alert@hpe.com

Privilege Escalation VMware

8.7

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:36 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

11.7

EUVD ID Assigned

Mar 15, 2026 - 23:54 euvd

EUVD-2025-19250

Analysis Generated

Mar 15, 2026 - 23:54 vuln.today

CVE Published

Jun 26, 2025 - 06:15 nvd

HIGH 8.7

DescriptionNVD

A potential security vulnerability has been identified in HPE OneView for VMware vCenter (OV4VC). This vulnerability could be exploited allowing an attacker with read only privilege to cause Vertical Privilege Escalation (operator can perform admin actions).

Analysis

Technical ContextAI

Privilege escalation allows a low-privileged user or process to gain elevated permissions beyond what was originally authorized. This vulnerability is classified as Improper Privilege Management (CWE-269).

RemediationAI

Apply the principle of least privilege. Keep systems patched. Monitor for suspicious privilege changes. Use mandatory access controls (SELinux, AppArmor).

CVE-2025-37101 vulnerability details – vuln.today

Back