A critical security alert warns customers about a severe vulnerability in HPE OneView Software that could allow remote attackers to execute arbitrary code without authentication.
The flaw, tracked as CVE-2025-37164, carries a CVSS severity score of 10.0, indicating maximum critical risk.
| Attribute | Details |
|---|---|
| CVE ID | CVE-2025-37164 |
| Product | HPE OneView Software |
| Vulnerability Type | Remote Code Execution |
| CVSS Score | 10.0 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Attack Vector | Network |
HPE OneView Flaw Enables Remote Code Execution
The vulnerability affects HPE OneView Software in all versions before v11.00. Unauthenticated remote attackers could exploit it to achieve remote code execution.
The attack requires no user interaction or special access privileges, making it immediately exploitable over the network. The vulnerability impacts the confidentiality, integrity, and availability of affected systems.
According to HPE’s security bulletin HPESBGN04985, the flaw was responsibly disclosed by security researcher brocked200 (Nguyen Quoc Khanh) on December 16, 2025.
The CVSS vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A: H indicates the vulnerability is exploitable over the network without any required authentication or user interaction.
The low attack complexity means attackers can reliably execute the exploit with straightforward techniques.
HPE recommends immediate action for all affected customers. The primary solution is to upgrade to HPE OneView v11.00 or later via the My HPE Software Center portal.
Organizations running OneView versions 5.20 through 10.20 can apply a dedicated security hotfix available from HPE’s support channels.
The security hotfix must be reapplied after upgrading from HPE OneView 6.60.xx to 7.00.00, including HPE Synergy Composer reimage operations.
Security administrators managing HPE OneView deployments should prioritize patching these systems, given the critical severity and ease of exploitation.
HPE recommends reviewing system management and security procedures regularly to maintain system integrity.
Organizations unable to immediately patch should implement network segmentation to restrict access to HPE OneView systems and monitor for suspicious activity.
For technical implementation questions, HPE customers should contact their normal HPE Services support channel.
HPE continues to monitor and enhance security features across its software portfolio to provide customers with current, secure solutions against emerging threats.
AI-Powered ISO 27001, SOC 2, NIST, NIS 2, and GDPR Compliance Checklist => Start for Free
