HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

Published:

18 december 2025 om 14:39:00

Alert date:

18 december 2025 om 17:01:35

Source:

thehackernews.com

Enterprise Applications, Zero-Day Vulnerabilities, Critical Infrastructure

Hewlett Packard Enterprise (HPE) has resolved a critical security vulnerability in OneView Software with a maximum CVSS score of 10.0. The vulnerability, tracked as CVE-2025-37164, allows unauthenticated remote code execution if successfully exploited. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems. The critical nature of this flaw and its potential for remote code execution without authentication makes it a high-priority security concern for organizations using HPE OneView.

Technical details

Critical vulnerability CVE-2025-37164 with CVSS score of 10.0 in HPE OneView Software allows remote unauthenticated users to perform remote code execution. The vulnerability affects all versions prior to version 11.00. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface.

Mitigation steps:

Apply patches immediately for optimal protection. Upgrade to HPE OneView version 11.00 or apply available hotfix for versions 5.20 through 10.20. Note that the hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations. Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2.

Affected products:

HPE OneView Software - all versions prior to version 11.00
HPE OneView versions 5.20 through 10.20 (hotfix available)
HPE OneView virtual appliance
HPE Synergy Composer2