A maximum severity remote code execution vulnerability in Hewlett Packard Enterprise (HPE) OneView network and systems management suite is “bad” and needs to be patched immediately, says a cybersecurity expert.
“Vendors typically downplay the severity of a vulnerability,” says Curtis Dukes, executive VP for security best practices at the Center for Internet Security, “but HPE did not – it’s a 10.”
The vulnerability is remotely executable by an unauthenticated user, he added, and it impacts every recent version of the suite. On top of that, he pointed out, OneView is a central manager of IT infrastructure in organizations.
“For these reasons, the patch should be implemented immediately,” Dukes said. “Adversaries, nation-state, and criminal gangs alike know there is a window of opportunity and are likely working on an exploit.”
HPE says in its advisory that the vulnerability, CVE-2025-37164, affects all versions between 5.20 and 10.20. It can be resolved by applying a security hotfix, which must be reapplied after an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00, as well as after any HPE Synergy Composer reimage.
HPE offers separate hotfixes for HPE OneView virtual appliance and HPE Synergy Composer.
The advisory adds that any third party security patches that are to be installed on systems running HPE software products should be applied in accordance with the customer’s patch management policy.
Asked for comment, an HPE spokesperson said the company has nothing to say beyond its advisory, other than to urge admins to download and install the patches as soon as possible.
Jack Bicer, director of vulnerability research at Action1, said that because this vulnerability can be exploited without authentication or any user interaction, it is “an extremely severe security issue. There are no available workarounds, so the patch should be applied immediately. Until the patch can be applied, restrict network access to the OneView management interface to trusted administrative networks only.”
HPE describes OneView as a solution that simplifies infrastructure lifecycle management across compute storage and networking through a unified API. It allows admins to create a catalogue of workload-optimized infrastructure templates so more general IT staff can rapidly and reliably provision resources. These templates can quickly provision physical, virtual, and containerized systems, setting up BIOS settings, local RAID configuration, firmware baseline, shared storage and more. HPE says software-defined intelligence allows IT to run multiple applications simultaneously with repeatable templates that ensure high reliability, consistency, and control. The vendor also says the embedded automation speeds provisioning and lowers operating expenses.
The most recent major vulnerability in OneView was revealed in June: CVE-2025-37101, a local elevation of privilege issue which relates specifically to OneView for VMware vCenter. If exploited, an attacker with read only privilege could upgrade their access to allow them to perform admin actions.
No Responses