You are currently viewing Active Exploitation Alert: Critical RCE Vulnerability in HPE OneView

Active Exploitation Alert: Critical RCE Vulnerability in HPE OneView

  • Post author:
  • Reading time:3 mins read

The cybersecurity landscape is ever-evolving, and recent reports indicate that a previously patched vulnerability in HPE OneView is now being actively exploited in the wild. This Remote Code Execution (RCE) vulnerability, identified as CVE-2025-37164, poses a significant risk to organizations utilizing affected versions of the HPE OneView infrastructure management platform.

Vulnerability Details

CVE-2025-37164 is a code injection vulnerability found within an unsecured REST API endpoint of HPE OneView. This flaw allows unauthenticated attackers to execute arbitrary code remotely, making it a critical security concern. The vulnerability has a CVSS score of 9.8, reflecting its severity.

Affected Products

The vulnerability affects HPE OneView versions through v10.20. HPE OneView is a centralized infrastructure management platform designed for deploying, monitoring, and managing HPE data center hardware and software through a single interface. Its popularity in large-scale and automated data center environments makes this vulnerability particularly impactful.

Real-World Observations

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that attackers are actively exploiting this vulnerability by adding it to their Known Exploited Vulnerabilities (KEV) catalog. The availability of technical details and a Metasploit module since its disclosure has significantly lowered the barrier to entry for less-skilled attackers.

Root Cause

The root cause of CVE-2025-37164 lies in a code injection vulnerability present in an unsecured REST API endpoint. This allows for the injection of malicious code that can be executed by the server, leading to a compromise of the system.

Impact & Exploit Potential

Successful exploitation of this vulnerability grants attackers centralized control over servers, firmware, and lifecycle management at scale. As researchers noted, management platforms like OneView often operate with broad privileges and minimal monitoring, making them attractive targets. An unauthenticated RCE in such a layer demands immediate attention, treating it as an assumed breach scenario and prioritizing patching.

Tactics, Techniques, and Procedures (TTPs)

Attackers are leveraging this vulnerability for initial access and execution. The specific techniques observed include:

  • TA0001 – Initial Access: Attackers gain an initial foothold into the system.
  • TA0002 – Execution: After gaining access, attackers execute malicious code.
  • T1203 – Exploitation for Client Execution: Triggering malicious code execution on the client-side.

Mitigation & Recommendations

A security hotfix is available for all HPE OneView versions from 5.20 through 10.20. This hotfix must be reapplied after upgrading an appliance from HPE OneView version 6.60.xx to 7.00.00, including any HPE Synergy Composer reimage.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.