Update January 8, 2026: The US security authority CISA warns that the HPE OneView vulnerability CVE-2025-37164 is being actively exploited. Patching is therefore not only good advice, but also a requirement to remain secure in the face of ongoing attacks. Those who have not yet applied patches should also check whether malicious parties have already gained access and moved laterally through the corporate network. If so, there may be backdoors that even survive a OneView patch.
Original message, December 19, 2025:
Hewlett Packard Enterprise has fixed a critical vulnerability in OneView Software that allows remote code execution. The bug received the maximum CVSS score of 10.0 and has now been fixed in version 11.00.
HPE announced in a security advisory that the vulnerability, numbered CVE-2025-37164, is extremely dangerous. An unauthenticated attacker could remotely execute code by exploiting this flaw. OneView is an IT infrastructure management solution that controls all systems within organizations from a single central dashboard.
“A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing an external, unauthenticated user to execute remote code,” HPE said in the advisory issued this week.
Versions and solutions
The security flaw affects all versions of the software prior to version 11.00. HPE has resolved the issue with this new version. In addition, the company is releasing a hotfix for OneView versions 5.20 through 10.20.
There is an important point to note when installing the hotfix. When upgrading from version 6.60 or later to 7.00.00, the patch must be reapplied. The hotfix is also required after reinstalling HPE Synergy Composer. Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2.
No evidence of active attacks
According to security researcher Nguyen Quoc Khanh, who reported the vulnerability, the problem is caused by incorrect input validation in a REST API endpoint. HPE itself does not mention that the bug is being exploited in practice. Nevertheless, the company emphasizes that users should install the patches as soon as possible for optimal protection.
In June of this year, HPE already released updates for eight vulnerabilities in the StoreOnce data backup and deduplication solution. These issues could lead to authentication bypass and remote code execution. OneView version 10.00 was also released to fix known bugs in third-party components such as Apache Tomcat and Apache HTTP Server.
Read also: Meta sounds the alarm: React Server Components contains serious vulnerability