Executive Summary

Hewlett Packard Enterprise (HPE) has disclosed a critical remote code execution (RCE) vulnerability, CVE-2025-37164, affecting its HPE OneView infrastructure management platform. The vulnerability has been assigned the maximum possible CVSS 3.1 score of 10.0, reflecting its severity. It allows a remote, unauthenticated attacker to execute arbitrary code, effectively taking full control of the OneView appliance. This flaw impacts a broad range of versions, from 5.20 to 10.20. As OneView is a privileged tool used to manage core data center components, its compromise would be catastrophic, granting attackers centralized control over servers and storage. HPE strongly advises customers to upgrade to the patched OneView version 11.0 or apply a hotfix without delay.

Vulnerability Details

• CVE ID: CVE-2025-37164
• Severity: Critical (CVSS 10.0)
• Vulnerability Type: Unauthenticated Remote Code Execution
• Affected Product: HPE OneView
• Affected Versions: 5.20 through 10.20
• Attack Vector: Network
• Authentication Required: None

This vulnerability was discovered and reported by security researcher Nguyen Quoc Khanh. The technical specifics of the flaw have not been publicly detailed, but its perfect CVSS score indicates that it is likely easy to exploit and requires no user interaction. An attacker who can reach the OneView appliance over the network can exploit this flaw to gain complete control.

Impact Assessment

The impact of exploiting CVE-2025-37164 is extremely severe. HPE OneView is a foundational component of many enterprise data centers, providing a single pane of glass for managing HPE servers, storage arrays, and firmware updates. A compromise of this system is equivalent to an attacker gaining the master keys to the data center.

Potential consequences include:

• Total Infrastructure Takeover: An attacker could modify server configurations, deploy malicious firmware updates (T1542.001 - System Firmware), access or wipe storage, and shut down critical systems.
• Widespread Data Breach: With control over storage and servers, an attacker can access and exfiltrate any data residing on the managed infrastructure.
• Persistent, Undetectable Access: By compromising the management plane, an attacker can establish deep and persistent access that may be difficult to detect, as their actions could be masked as legitimate administrative tasks.
• Supply Chain Risk: If the OneView instance is used to manage infrastructure for customers, its compromise could lead to a widespread supply chain attack.

As noted by security analysts at Rapid7, compromising OneView doesn't just grant access to one machine; it "hands over the keys to the building."

Exploitation Status

As of December 19, 2025, there are no public reports of active in-the-wild exploitation. However, given the 10.0 CVSS score and the public disclosure, it is highly probable that threat actors will develop a functional exploit in the near future. The SANS Institute has highlighted the urgency of patching before attackers can weaponize the flaw, especially ahead of the holiday period when security staffing is often reduced.

Cyber Observables for Detection

Since there is no known exploit, detection focuses on identifying vulnerable systems and monitoring for anomalous activity.

Detection Methods

• Asset Inventory: Use authenticated vulnerability scanners or asset management systems to identify all instances of HPE OneView in your environment and check their versions to determine if they fall within the affected range (5.20 to 10.20).
• Log Monitoring: Ingest HPE OneView audit logs into a SIEM. Create alerts for any administrative actions (e.g., user creation, firmware update tasks, server profile changes) that occur outside of planned maintenance windows or originate from untrusted IP addresses. Reference D3-LAM: Local Account Monitoring.
• Network Access Control: Monitor for any attempts to access the OneView appliance from network segments that should not have access. Any access from the general user VLAN, for example, is a major red flag.

Remediation Steps

1. Upgrade or Patch Immediately: This is the highest priority. HPE has released OneView version 11.0, which fully remediates the vulnerability. If an immediate upgrade is not possible, an emergency hotfix is available for affected versions. Organizations must apply one of these solutions without delay. Reference M1051 - Update Software.
2. Restrict Network Access: As a critical compensating control, ensure that the HPE OneView appliance is not accessible from the internet. Its management interface should be isolated on a secure, dedicated management network. Use strict firewall rules to limit access only to authorized administrator workstations or jump boxes. Reference M1035 - Limit Access to Resource Over Network.
3. Review Audit Logs: After patching, review historical audit logs for any signs of suspicious activity that may indicate a compromise occurred before the patch was applied.