Cybersecurity Forecast 2026: What to Expect – New Report
Get a Demo

Vulnerabilities

CVE-2025-37164

Critical Unauthenticated HPE OneView Vulnerability Grants Complete Data Center Control: CVE‑2025‑37164

CVSS Gauge
CVSS Needle
CVSS Score: 10.0

Summary

A serious vulnerability in HPE OneView, CVE-2025-37164, allows attackers to execute code remotely without logging in. It can result in complete control over servers, storage, and networking infrastructure and affects versions prior to 11.00Patching it right away is crucial because there are public exploits, and CISA has identified it as being actively exploited.

Urgent Actions Required

  • Upgrade OneView to 11.00+ immediately.
  • If upgrade isn’t possible, apply the emergency hotfix for 5.20–10.20 and reapply after certain upgrades or Synergy Composer reimages.
  • Limit network access to trusted IPs.
  • Monitor logs and API calls for suspicious activity.

Which Systems Are Vulnerable to CVE‑2025‑37164?

Technical Overview

How Does the CVE‑2025‑37164 Exploit Work?

The attack typically follows these steps:

CVE-2025-37164

What Causes CVE‑2025‑37164?

Vulnerability Root Cause:

The issue is due to an HPE OneView API endpoint that lacks authentication. The affected ID Pools functionality accepts and processes requests without verifying user identity. Because the endpoint lacks access checks, attacker input is executed directly, enabling remote code execution without any credentials.

How Can You Mitigate CVE‑2025‑37164?

If immediate patching is delayed or not possible: 

  • Identify all HPE OneView instances running in the environment, as required by CISA guidance.
  • Fix internet-exposed systems first since no login is needed.
  • Apply vendor hotfixes as soon as possible to reduce risk.
  • Continuously assess organizational risk until remediation is completed, as advised by Health-ISAC.

Which Assets and Systems Are at Risk?

Asset Types Affected:

  • Infrastructure Management Platforms – HPE OneView deployments used to manage HPE servers, storage, and networking
  • OneView Appliances/Servers – Systems running HPE OneView versions up to and including v10.20
  • REST API Services – Specifically, the /rest/id-pools/executeCommand endpoint exposed by HPE OneView

Business-Critical Systems at Risk:

  • Enterprise Infrastructure Control Planes – Systems responsible for centralized monitoring and automation of compute, storage, and network resources
  • Managed Server Environments – HPE server environments administered through OneView
  • Networked Infrastructure Assets – Assets that can be reached or impacted following successful code execution and lateral movement

Exposure Level:

  • Network-Accessible OneView Instances – Any HPE OneView appliance reachable over the network
  • Unauthenticated Access Paths – Systems exposed due to the vulnerable endpoint requiring no authentication
  • Enterprise Environments with OneView Deployed – Especially where OneView is widely used to control critical infrastructure components

Will Patching CVE‑2025‑37164 Cause Downtime?

Patch application impact: HPE’s hotfix blocks the vulnerable API endpoint without modifying core OneView functionality, resulting in minimal service disruption. Upgrading to OneView 11.00 or applying the emergency hotfix is expected to have low operational downtime, but should be scheduled promptly due to active exploitation.

How Can You Detect CVE‑2025‑37164 Exploitation?

Exploitation Signatures:

  • Unauthenticated HTTP PUT requests targeting the endpoint: /rest/id-pools/executeCommand
  • Requests containing an ExecutableCommand object with a user-supplied cmd parameter
  • Network access attempts to HPE OneView appliances without prior authentication

Indicators of Compromise (IOCs/IOAs):

  • Successful execution of commands on the OneView appliance without login
  • Unexpected system-level command execution originating from the OneView service
  • Outbound activity or system changes following access to the vulnerable REST endpoint
  • HTTP requests reaching /rest/id-pools/executeCommand that return non-error responses

Behavioral Indicators:

  • OneView executing operating system commands without an authenticated user context
  • Privileged control-plane actions occurring outside normal administrative workflows
  • Signs of lateral movement or persistence after initial OneView compromise

Alerting Strategy:

  • Priority: Critical
  • Trigger alerts for:
    • Any access attempts to /rest/id-pools/executeCommand
    • Unauthenticated PUT requests to OneView REST APIs
    • Exploitation alerts from IPS signature 21797 (HPE OneView Remote Code Execution)

Remediation & Response

  • Remediation Timeline:
    • Immediate: Apply available HPE hotfixes to block access to the vulnerable /rest/id-pools/executeCommand endpoint.
    • As soon as possible: Upgrade HPE OneView to version 11.00, which fully addresses the vulnerability.
    • Ongoing: Ensure all OneView instances running versions up to and including 10.20 are identified and remediated.
  • Incident Response Considerations:
    • Consider affected HPE OneView systems high-risk due to unauthenticated remote code execution.
    • Prioritize network-exposed systems; no authentication needed to exploit.
    • Apply vendor fixes immediately due to active attacks.
    • Use IPS (Sig ID 21797) to block exploits where available.

Compliance & Governance Notes

  • Standards Impacted:
    • CISA Known Exploited Vulnerabilities (KEV) Catalog:
      CVE-2025-37164 is listed as actively exploited, requiring remediation under CISA guidance.
    • Binding Operational Directive (BOD) 22-01:
      Apply vendor fixes or stop using affected HPE OneView systems, per CISA guidance.
  • Audit Trail Requirement:
    • Track remediation actions taken to address CVE-2025-37164, including hotfix deployment or upgrade to HPE OneView 11.00, as required by CISA KEV obligations.
    • Keep records showing compliance with vendor guidance and CISA timelines.
  • Policy Alignment:
    • Prioritize KEV-listed vulnerabilities, especially unauthenticated RCE.
    • Follow CISA KEV and BOD 2201 rules for patching and risk management of exposed systems.

Where Can I Find More Information on CVE‑2025‑37164?

  1. NVD – CVE-2025-37164
  2. CVE-2025-37164 – Hewlett Packard Enterprise OneView Code Injection Vulnerability – [Actively Exploited]
  3. HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution
  4. Critical HPE OneView Vulnerability Exploited in Attacks – SecurityWeek

CVSS Breakdown Table

MetricValue Description
Base Score10.0Maximum severity due to unauthenticated RCE and full control of managed infrastructure
Attack VectorNetwork Exploitable remotely over the network on exposed HPE OneView instances
Attack ComplexityLowNo special conditions are required; confirmed active exploitation
Privileges RequiredNoneNo authentication needed
User Interaction NoneExploit does not require user action
Scope Changed Compromise of OneView affects all managed servers, storage, and networking under its control
Confidentiality Impact HighFull access to infrastructure data and management information
Integrity Impact HighArbitrary code execution allows attackers to modify system and hardware configurations
Availability ImpactHighFull control can disrupt or disable managed infrastructure

Vulnerability Overview 

CVE ID: CVE202537164

CVE Title: HPE OneView Unauthenticated Remote Code Execution

Severity: Critical

Exploit Status: Public proofofconcept available; actively exploited

Business Risk: Complete OneView takeover, enabling unauthenticated code execution, disruption, and infrastructure control.

See How Fidelis Insight™ Strengthens Threat Intelligence

Download the Data Sheet

Related Readings

One Platform for All Adversaries

See Fidelis in action. Learn how our fast and scalable platforms provide full visibility, deep insights, and rapid response to help security teams across the World protect, detect, respond, and neutralize advanced cyber adversaries.

Get a Demo