HPE warns of maximum severity RCE flaw in OneView software

Published:

18 december 2025 om 11:35:53

Alert date:

18 december 2025 om 12:01:35

Source:

bleepingcomputer.com

Enterprise Applications, Zero-Day Vulnerabilities

Hewlett Packard Enterprise (HPE) has patched a maximum-severity vulnerability in its HPE OneView software that enables attackers to execute arbitrary code remotely. The vulnerability represents a critical security flaw that could allow complete system compromise. HPE has released patches to address this remote code execution vulnerability. Organizations using HPE OneView software should apply the security updates immediately to prevent potential exploitation. The maximum severity rating indicates this is a high-priority security issue requiring urgent attention.

Technical details

CVE-2025-37164 is a maximum severity vulnerability in HPE OneView software that enables unauthenticated attackers to execute arbitrary code remotely. The flaw is classified as a code injection vulnerability that can be exploited through low-complexity attacks without authentication. It affects all OneView versions released before v11.00.

Mitigation steps:

Upgrade to OneView version 11.00 or later
For OneView versions 5.20 through 10.20: deploy security hotfix
Reapply security hotfix after upgrading from version 6.60 or later to version 7.00.00
Reapply security hotfix after any HPE Synergy Composer reimaging operations
Download virtual appliance security hotfix for applicable systems
Download Synergy security hotfix for Synergy systems

Affected products:

HPE OneView software (all versions before v11.00)
HPE OneView versions 5.20 through 10.20 (require security hotfix)
HPE Synergy Composer