Hewlett Packard Enterprise (HPE) has patched a maximum-severity vulnerability in its HPE OneView software that enables attackers to execute arbitrary code remotely.
OneView is HPE’s infrastructure management software that helps IT admins streamline operations and automate the management of servers, storage, and networking devices from a centralized interface.
This critical security flaw (CVE-2025-37164) was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200) to the company’s security team.
It affects all OneView versions released before v11.00 and can be exploited by unauthenticated threat actors in low-complexity code injection attacks to gain remote code execution on unpatched systems.
“A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution,” HPE warned in a Tuesday advisory.
There are no workarounds or mitigations for CVE-2025-37164, so admins are advised to patch vulnerable systems as soon as possible.
HPE has yet to confirm whether this vulnerability has been targeted in attacks and says that affected organizations can upgrade to OneView version 11.00 or later, available through HPE’s Software Center, to patch it.
On devices running OneView versions 5.20 through 10.20, the vulnerability can be addressed by deploying a security hotfix, which must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations.
Separate downloads are available for the virtual appliance security hotfix and the Synergy security hotfix through dedicated support pages.
In June, HPE patched eight vulnerabilities in StoreOnce, its disk-based backup and deduplication solution, including a critical-severity authentication bypass and three remote code execution flaws.
One month later, in July, it warned of hardcoded credentials in Aruba Instant On Access Points that could allow attackers to access the web interface after bypassing standard device authentication.
HPE has over 61,000 employees worldwide and has reported revenues of $30.1 billion in 2024. Its products and services are used by over 55,000 organizations worldwide, including 90% of Fortune 500 companies.
Broken IAM isn’t just an IT problem – the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what “good” IAM looks like, and a simple checklist for building a scalable strategy.