top of page
perceptive_background_267k.jpg

CISA tags max severity HPE OneView flaw as actively exploited

Published:

8 januari 2026 om 07:45:25

Alert date:

8 januari 2026 om 08:01:52

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Enterprise Applications, Zero-Day Vulnerabilities, Critical Infrastructure

CISA has flagged a maximum-severity vulnerability in HPE OneView as actively exploited in attacks. The vulnerability represents a critical security flaw that attackers are currently leveraging in real-world attacks. Given the maximum severity rating and active exploitation status, this poses a significant threat to organizations using HPE OneView infrastructure management software. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalog, indicating urgent patching priority for affected systems.

Technical details

CVE-2025-37164 is a maximum-severity code injection vulnerability in HPE OneView infrastructure management software that affects all versions prior to v11.00. The flaw allows unauthenticated threat actors to perform remote code execution through low-complexity code-injection attacks. The vulnerability was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200) and has no available workarounds or mitigations other than upgrading to version 11.00 or later.

Mitigation steps:

Upgrade HPE OneView to version 11.00 or later immediately. The updated version is available through HPE's Software Center. If upgrading is not possible, discontinue use of the product as there are no workarounds or mitigations available. Federal agencies must secure their systems by January 28th per BOD 22-01 requirements.

Affected products:

HPE OneView (all versions before v11.00)

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2025-37164
https://www.bleepingcomputer.com/news/security/hpe-warns-of-maximum-severity-rce-flaw-in-oneview-software/
https://cwe.mitre.org/data/definitions/94.html
http://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1
https://myenterpriselicense.hpe.com/cwp-ui/product-download-info/Z7550-63180/-/sw_free
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-37164#:~:text=Action%3A%20Apply%20mitigations%20per%20vendor%20instructions
https://www.cisa.gov/news-events/alerts/2026/01/07/cisa-adds-two-known-exploited-vulnerabilities-catalog#:~:text=These%20types%20of%20vulnerabilities%20are%20frequent%20attack%20vectors%20for%20malicious%20cyber%20actors%20and%20pose%20significant%20risks%20to%20the%20federal%20enterprise

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page