HPE OneView Software Vulnerability Let Attackers Execute Remote Code

A critical security alert warns customers about a severe vulnerability in HPE OneView Software that could allow remote attackers to execute arbitrary code without authentication.

The flaw, tracked as CVE-2025-37164, carries a CVSS severity score of 10.0, indicating maximum critical risk.

Attribute	Details
CVE ID	CVE-2025-37164
Product	HPE OneView Software
Vulnerability Type	Remote Code Execution
CVSS Score	10.0 (Critical)
CVSS Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector	Network

HPE OneView Flaw Enables Remote Code Execution

The vulnerability affects HPE OneView Software in all versions before v11.00. Unauthenticated remote attackers could exploit it to achieve remote code execution.

The attack requires no user interaction or special access privileges, making it immediately exploitable over the network. The vulnerability impacts the confidentiality, integrity, and availability of affected systems.

According to HPE’s security bulletin HPESBGN04985, the flaw was responsibly disclosed by security researcher brocked200 (Nguyen Quoc Khanh) on December 16, 2025.

The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A: H indicates the vulnerability is exploitable over the network without any required authentication or user interaction.

The low attack complexity means attackers can reliably execute the exploit with straightforward techniques.

HPE recommends immediate action for all affected customers. The primary solution is to upgrade to HPE OneView v11.00 or later via the My HPE Software Center portal.

Organizations running OneView versions 5.20 through 10.20 can apply a dedicated security hotfix available from HPE’s support channels.

The security hotfix must be reapplied after upgrading from HPE OneView 6.60.xx to 7.00.00, including HPE Synergy Composer reimage operations.

Security administrators managing HPE OneView deployments should prioritize patching these systems, given the critical severity and ease of exploitation.

HPE recommends reviewing system management and security procedures regularly to maintain system integrity.

Organizations unable to immediately patch should implement network segmentation to restrict access to HPE OneView systems and monitor for suspicious activity.

For technical implementation questions, HPE customers should contact their normal HPE Services support channel.

HPE continues to monitor and enhance security features across its software portfolio to provide customers with current, secure solutions against emerging threats.

AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Checklist => Start for Free

The post HPE OneView Software Vulnerability Let Attackers Execute Remote Code appeared first on Cyber Security News.