Hewlett Packard Enterprise (HPE) has fixed a critical security vulnerability in its HPE OneView software that could allow attackers to take full control of affected systems. The flaw has been given the highest possible CVSS score of 10.0, making it one of the most severe vulnerabilities seen this year.
The vulnerability, tracked as CVE-2025-37164, allows unauthenticated remote code execution (RCE). This means an attacker does not need a username or password to exploit the flaw. If successfully abused, the attacker could run malicious code remotely, potentially gaining complete access to the underlying infrastructure.
HPE OneView is a widely used IT infrastructure management platform designed to simplify operations in modern data centers. It provides a centralized dashboard to manage servers, storage, networking, and firmware across enterprise environments.
Many large organizations rely on HPE OneView to manage critical workloads, including virtualized environments and HPE Synergy systems. Because of its central role, any serious vulnerability in OneView can have a high impact on business operations and security.
According to HPE, the vulnerability could be exploited by a remote and unauthenticated attacker to execute arbitrary code on the affected system.
In its official security advisory, HPE stated:
“A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution.”
While HPE has not publicly disclosed the technical root cause, the CVSS 10.0 rating confirms that the flaw:
Requires no authentication
Can be exploited remotely
Has a high impact on confidentiality, integrity, and availability
In simple terms, a successful attack could allow threat actors to fully compromise systems managed by OneView.
The vulnerability affects all versions of HPE OneView prior to version 11.00.
HPE has confirmed that:
HPE OneView version 11.00 fully fixes the vulnerability
A hotfix is available for earlier supported versions
The hotfix applies to:
HPE OneView versions 5.20 through 10.20
HPE has shared important guidance regarding the hotfix installation process. Organizations should be aware that:
The hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00
The hotfix must also be reapplied after any HPE Synergy Composer reimaging operations
Separate hotfixes are available for:
HPE OneView Virtual Appliance
HPE Synergy Composer2
Failure to reapply the hotfix in these scenarios could leave systems vulnerable again.
At the time of disclosure, HPE has not reported any active exploitation in the wild. However, security experts warn that vulnerabilities with a CVSS score of 10.0 often become attractive targets for attackers soon after public disclosure.
Once details of such flaws are shared, threat actors typically move quickly to develop proof-of-concept exploits, especially for enterprise software used in data centers.
For this reason, organizations are strongly advised to apply the patches immediately, even if no attacks have been detected yet.
The risk associated with CVE-2025-37164 is especially high because:
HPE OneView often runs with high privileges
It has access to multiple connected systems
A compromise could lead to lateral movement across the network
Attackers could disrupt operations, steal data, or deploy ransomware
In worst-case scenarios, attackers could use OneView as a single point of compromise to control large portions of an enterprise IT environment.
This is not the first time HPE has addressed serious security flaws in its products.
Earlier in June, HPE released patches for eight vulnerabilities in its StoreOnce data backup and deduplication solution. Some of those flaws could allow:
Authentication bypass
Remote code execution
In addition, HPE previously released OneView version 10.00 to fix multiple vulnerabilities in third-party components, including:
Apache Tomcat
Apache HTTP Server
These recurring issues highlight the importance of regular patching, vulnerability management, and system hardening in enterprise environments.
To reduce risk, HPE customers should take the following steps immediately:
Identify affected OneView instances in the environment
Upgrade to HPE OneView version 11.00 where possible
Apply the relevant hotfix for versions 5.20 to 10.20
Reapply hotfixes after upgrades or reimaging operations
Monitor systems for unusual activity or signs of compromise
Security teams should also ensure that OneView systems are:
Not exposed directly to the internet
Protected by network segmentation
Monitored through centralized logging and alerting
The discovery of CVE-2025-37164 is a strong reminder of how critical infrastructure management tools can become high-value targets for attackers. A single unpatched vulnerability in such software can expose an entire data center to serious risk.
Even though there is no evidence of active exploitation yet, the severity of this flaw leaves no room for delay. Organizations using HPE OneView should act quickly to patch affected systems and reduce their attack surface.
Interesting Article : Cisco AsyncOS Zero-Day Actively Exploited in Email Security Appliances
Pingback: CVE-2025-68613: Critical n8n Bug Enables Arbitrary Code Execution