Image Main

Hewlett Packard Enterprise (HPE) has announced the resolution of a maximum severity security vulnerability in its OneView software. The flaw, if successfully exploited, could allow remote code execution.

The critical vulnerability has been identified as CVE-2025-37164 and has a CVSS score of 10.0. HPE OneView is an IT infrastructure management tool that simplifies operations and enables centralized control of all systems.

Vulnerability Details (CVE-2025-37164)

The security flaw allows an unauthenticated, remote attacker to perform code execution on the affected system. HPE has issued a security warning urging users to take immediate action.

Affected Versions and Solution

The vulnerability affects all versions of HPE OneView prior to version 11.00.

To remedy the failure, users have two options:

  1. Upgrade to Version 11.00: The main solution is to upgrade to version 11.00 of the software.
  2. Hotfix Implementation: HPE has provided a hotfix (emergency patch) for OneView versions 5.20 through 10.20. It is crucial that users apply this patch as soon as possible.

Additional Patching Considerations

HPE has specified that the hotfix should be reapplied in the following scenarios:

  • When upgrading from version 6.60 (or later) to version 7.00.00.
  • After any HPE Synergy Composer reimage operation.

Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2.

Recent HPE Security Context

Although HPE has not reported that this vulnerability is being actively exploited, the criticality of the flaw (CVSS 10.0) makes immediate application of patches essential to protect systems.

This incident follows other recent security updates from the company. In June, HPE released patches for eight vulnerabilities in its StoreOnce backup solution, including flaws that could lead to authentication bypass and remote code execution. OneView version 10.00 was also released to fix several known vulnerabilities in third-party components, such as Apache Tomcat and Apache HTTP Server.

References

  • CVE: CVE-2025-37164
  • HPE Advisory: (The complete HPE advisory reference)