HPE Addresses Critical RCE Vulnerability in OneView Software

Hewlett Packard Enterprise (HPE) has announced the patching of a critical vulnerability in its OneView software, which could allow attackers to execute arbitrary code remotely. This flaw, identified as CVE-2025-37164, poses a significant risk as it affects all versions of OneView prior to v11.00. According to Vietnamese security researcher Nguyen Quoc Khanh, who reported the issue, the vulnerability can be exploited by unauthenticated attackers through low-complexity code-injection techniques.

OneView serves as HPE’s infrastructure management software, enabling IT administrators to streamline operations and automate the management of servers, storage, and networking devices from a single interface. In an advisory released on Tuesday, HPE warned that the vulnerability could allow a remote, unauthenticated user to gain control over unpatched systems.

There are currently no workarounds or mitigations available for CVE-2025-37164. HPE strongly encourages administrators to update affected systems to OneView version 11.00 or later, which can be accessed through HPE’s Software Center. For devices running OneView versions 5.20 through 10.20, a security hotfix is available. However, this fix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or following any HPE Synergy Composer reimaging operations.

HPE has not confirmed whether this vulnerability has been exploited in actual attacks. Nonetheless, the company has taken proactive measures to address security concerns. In June 2024, HPE patched eight vulnerabilities in its StoreOnce product, which included a critical authentication bypass and multiple remote code execution flaws. The following month, in July, it issued a warning regarding hardcoded credentials in Aruba Instant On Access Points, which could enable attackers to bypass standard device authentication.

With over 61,000 employees globally, HPE reported revenues of $30.1 billion in 2024. The company’s products and services are integral to more than 55,000 organizations worldwide, including 90% of Fortune 500 companies. HPE’s ongoing commitment to addressing security vulnerabilities highlights its dedication to protecting its global customer base from potential threats.