Hewlett Packard Enterprise (HPE) has addressed a critical security vulnerability in its OneView software that, if exploited, could allow remote code execution without authentication. The flaw, tracked as CVE-2025-37164, carries a maximum CVSS score of 10.0, highlighting its severity.
HPE OneView is an IT infrastructure management platform that provides centralized control over systems and operations via a unified dashboard. According to an advisory from HPE, the flaw could be exploited by a remote unauthenticated attacker to execute arbitrary code on affected systems.
The vulnerability affects all versions of OneView prior to version 11.00, which contains the necessary fixes. HPE has also released a hotfix applicable to versions 5.20 through 10.20. The company notes that the hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or following any HPE Synergy Composer reimaging procedures. Separate hotfixes exist for the OneView virtual appliance and Synergy Composer2.
While there is no public evidence of this vulnerability being exploited in the wild, HPE strongly recommends that organizations apply the hotfixes and updates immediately to ensure protection.
Earlier this year, HPE also released security updates for its StoreOnce data backup and deduplication solution to address eight vulnerabilities that could lead to authentication bypass or remote code execution. Additionally, OneView version 10.00 was shipped to remediate flaws in third-party components such as Apache Tomcat and Apache HTTP Server.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
