If your office uses Hewlett Packard Enterprise (HPE) OneView to manage its servers and networking, you need to check your software version immediately. A major security flaw has been discovered that enables hackers to take control of systems without requiring a login or password.
The situation is serious enough that the US government has stepped in, giving agencies a strict deadline to update their systems before the end of the month. It has officially added this issue to its Known Exploited Vulnerabilities (KEV) catalogue. As we know it, when CISA puts a flaw on this list, it is a signal for everyone to act immediately.
The Problem: An Unlocked Door
The flaw was discovered and reported to HPE by Vietnamese security expert Nguyen Quoc Khanh. It is tracked as CVE-2025-37164 and assigned a perfect CVSS score of 10.0, the highest severity rating possible. It is basically a code injection problem. Simply put, this means a hacker can trick the software into running their own malicious instructions.
An investigation by the team at Rapid7 revealed that the issue is hidden within a feature called ID Pools. Their investigation showed that a specific communication line, known as a REST API endpoint, was left open without a password.
Because this doorway doesn’t require authentication, attackers can send a simple request to take full control of the system. HPE has warned that this “vulnerability could be exploited, allowing a remote unauthenticated user” to cause significant damage.
Who is most at risk?
Researchers at Rapid7 noted that while the flaw is present in all versions older than 11.00, it seems to affect certain products more than others. Specifically, they found that all unpatched versions of ‘HPE OneView for HPE Synergy’ are likely vulnerable. For users on virtual machines, version 6.x appears to be the primary target.
For your information, there are no workarounds or settings you can tweak to stay safe. The only solution is a full update. HPE released the necessary fix in mid-December and is urging all users to move to OneView version 11.00 or later immediately.
A Pattern of Attacks
This isn’t the only threat on the radar. CISA officials noted that hackers are also still using a much older flaw in Microsoft Office PowerPoint (CVE-2009-0556) to get into networks. According to CISA, these types of gaps are “frequent attack vectors” because hackers know many organisations forget to update older software or continue using “legacy” files that were first exploited years ago.
The government isn’t just suggesting a fix; they are demanding it under Binding Operational Directive 22-01. Whether it is a brand-new bug in your server management tools or a decade-old hole in a presentation app, the message from the authorities is clear: if you do not patch it, someone else will eventually use it to get in.
Expert Insights
Sharing comments with Hackread.com, Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck, explained that this case is a perfect example of why security testing is so critical.
“The CVE‑2025‑37164 OneView vulnerability is severe because it allows unauthenticated remote code execution (RCE) through a publicly reachable REST API endpoint,” Constantine noted. She warned that since OneView is central to managing entire environments, “this vulnerability doesn’t just compromise an application, it puts the entire environment at risk.”
Randolph Barr, Chief Information Security Officer at Cequence Security, added that the software’s position within a company’s network makes the situation particularly dangerous. “OneView is a centralized management layer that presents you with a wide view of everything,” Barr stated. “When hackers breach a platform such as HPE OneView, they not only gain access to a single system but also penetrate the core operations of the entire environment.”
Barr advised that companies shouldn’t treat this like a standard update. “Treat it as an urgent management-plan concern,” he urged. “Move quickly, but don’t forget the basics. Understand your deployment, assess your exposure, monitor closely during the patching process, and ensure that a rollback is available.”