PoC Exploit Released HPE OneView Vulnerability that Enables Remote Code Execution

Security researchers have released a Proof-of-Concept (PoC) exploit for a critical vulnerability in HPE OneView, a popular IT infrastructure management platform.

The flaw, tracked as CVE-2025-37164, carries a maximum CVSS score of 10.0, indicating immediate danger to enterprise environments.

The vulnerability allows remote attackers to execute malicious code on affected systems without needing a password or any form of authentication.

A valid Metasploit module has already been published, making it easy for threat actors to weaponize this flaw.

Technical Breakdown

The issue lies within the ID-Pools REST API endpoint of the HPE OneView software.

Specifically, the vulnerability exists in how the application handles the executeCommand parameter. The code explicitly marks the authentication header as “not required.”

This oversight allows an attacker to send a simple JSON command, such as opening a reverse shell, which the server then executes with high privileges.

While HPE’s advisory states that all versions before 11.0 are affected.

According to Rapid7’s analysis, the application accepts user input via a specific API request (PUT /rest/id-pools/executeCommand). However, it fails to verify whether the user is authorized.

Researchers found that the vulnerable “id-pools” feature is primarily active in HPE OneView for HPE Synergy and specific versions of HPE OneView for VMs (Branch 6.x).

HPE has released a hotfix that patches the flaw by blocking access to the vulnerable URL path.

Given the release of public exploit code and the high privileges associated with OneView management consoles, administrators are urged to patch immediately.

Verify your OneView version immediately and apply the vendor-supplied hotfix to prevent unauthorized access to your physical and virtual infrastructure.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.