top of page
Search

HPE OneView CVSS 10.0 Flaw Allows Unauthenticated Remote Code Execution

  • Dec 18, 2025
  • 2 min read

Key Findings


  • HPE has disclosed a critical vulnerability (CVE-2025-37164) in its OneView infrastructure management software with a CVSS score of 10.0

  • The flaw allows unauthenticated remote code execution, enabling attackers to take full control of affected systems

  • It impacts all versions of OneView prior to version 11.00

  • HPE has released an urgent patch to address the vulnerability and is advising customers to update as soon as possible

  • For older OneView versions (5.20 to 10.20), HPE has also provided a security hotfix, but it must be reapplied after certain upgrades


Background


HPE OneView is an IT infrastructure management software that streamlines operations and provides a centralized dashboard to control servers, storage, and networking across hybrid cloud environments. As the "brain" of the data center, a compromise of OneView could have severe consequences, potentially allowing attackers to disrupt operations, deploy ransomware, or manipulate the physical hardware.


Vulnerability Details


The vulnerability, assigned the CVE identifier CVE-2025-37164, is a critical flaw that allows unauthenticated remote code execution. This means an attacker can execute arbitrary code on the affected system without requiring any login credentials or user interaction.


Impact and Exploitation


A successful exploitation of this vulnerability could grant an attacker complete control over the targeted OneView environment, including the ability to:


  • Disrupt critical IT operations

  • Deploy malware, such as ransomware, to encrypt or exfiltrate sensitive data

  • Manipulate the physical infrastructure managed by OneView


Mitigation and Remediation


HPE has released OneView version 11.00 to address the vulnerability. All customers are advised to update to this version as soon as possible.


For organizations running older OneView versions (5.20 through 10.20) that cannot immediately upgrade to 11.00, HPE has provided a security hotfix. However, it is crucial to note that the hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations.


Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2, and administrators should verify their version numbers and apply the appropriate patches without delay.


Conclusion


The discovery of this critical flaw in HPE OneView, with a maximum CVSS score of 10.0, underscores the importance of staying vigilant and applying security updates promptly. As a core component of data center infrastructure, a compromise of OneView could have far-reaching consequences. HPE's swift response in releasing a fix is commendable, and customers are urged to act quickly to mitigate the risk posed by this vulnerability.


Sources


  • https://thehackernews.com/2025/12/hpe-oneview-flaw-rated-cvss-100-allows.html

  • https://securityonline.info/cve-2025-37164-cvss-10-0-unauthenticated-hpe-oneview-rce-grants-total-control-over-data-centers/

  • https://www.youtube.com/watch?v=pEuR62-3BPc

  • https://x.com/TheHackersNews/status/2001664072102957544

  • https://radar.offseq.com/threat/hpe-oneview-flaw-rated-cvss-100-allows-unauthentic-6d3538dc

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page