Hewlett Packard Enterprise (HPE) has patched a maximum-severity vulnerability in its HPE OneView software that enables attackers to execute arbitrary code remotely.
OneView is HPE's infrastructure management software that helps IT admins streamline operations and automate the management of servers, storage, and networking devices from a centralized interface.
This critical security flaw (CVE-2025-37164) was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200) to the company's security team.
It affects all OneView versions released before v11.00 and can be exploited by unauthenticated threat actors in low-complexity code injection attacks to gain remote code execution on unpatched systems.
"A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution," HPE warned in a Tuesday advisory.
There are no workarounds or mitigations for CVE-2025-37164, so admins are advised to patch vulnerable systems as soon as possible.
HPE has yet to confirm whether this vulnerability has been targeted in attacks and says that affected organizations can upgrade to OneView version 11.00 or later, available through HPE's Software Center, to patch it.
On devices running OneView versions 5.20 through 10.20, the vulnerability can be addressed by deploying a security hotfix, which must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations.
Separate downloads are available for the virtual appliance security hotfix and the Synergy security hotfix through dedicated support pages.
In June, HPE patched eight vulnerabilities in StoreOnce, its disk-based backup and deduplication solution, including a critical-severity authentication bypass and three remote code execution flaws.
... continue reading