A max-severity remote code execution (RCE) flaw in HPE’s OneView management platform has been flagged by the Cybersecurity & Infrastructure Security Agency (CISA) for active exploitation. The flaw, tracked as CVE-2025-37164, has been added to CISA’s Known Exploited Vulnerability (KEV) Catalog, days after the company disclosed it with a fix.
“The CVE-2025-37164 OneView vulnerability is severe because it allows unauthenticated remote code execution through a publicly reachable REST API endpoint,” said Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck. “Given how central OneView is for managing servers, storage, and networking, this vulnerability doesn’t just compromise an application – it puts the entire environment at risk. This is why proactive API security assessments are non-negotiable for any system exposing management or automation interfaces.”
HPE has already released advisories and a patch addressing the issue, but enterprises are facing a narrow window to respond before a management-layer compromise turns into full-environment control.
Infrastructure-wide consequences
CVE-2025-37164 is caused by improper input handling in a publicly reachable REST API used by HPE OneView, allowing unauthenticated attackers to execute arbitrary commands on the underlying system. The flaw carries a CVSS score of 10.0, reflecting both the lack of authentication and the direct path to remote code execution, which makes opportunistic scanning and rapid exploitation far more likely.
HPE OneView acts as a single pane of glass for servers, storage, and networking, often integrated with identity systems, ticketing platforms, and automation workflows. An unauthenticated RCE in that layer gives attackers a shortcut straight into the heart of enterprise operations.
“HPW OneView’s position in the company and the vulnerability’s severity score make it bad,” Randolph Barr, chief information security officer at Cequence Security. “When hackers breach a platform such as HPE OneView, they not only gain access to a single system but also penetrate the core operations of the environment.”
Not an ‘apply and move on’ solution
While CISA’s KEV inclusion raised the priority immediately, enterprises can’t treat OneView like a routine endpoint patch. Management-plane software is often deployed on-premises, sometimes on physical servers, and tightly coupled with production workflows. A rushed fix that breaks monitoring, authentication, or integrations can be almost as dangerous as the vulnerability itself.
Barr cautioned that organizations first need to understand how OneView is deployed: whether on physical hardware, as a virtual machine with snapshot support, or in a clustered configuration, before moving to patch. Virtualized setups may allow quicker patch-and-rollback cycles, while older or large on-prem deployments demand careful sequencing and tested backout plans.
“Security teams should be collecting threat intelligence at the same time that they are developing patching strategies,” he said. “That means knowing how the exploit is being utilized, which industries are being targeted, whether attackers are scanning for vulnerable APIs in large numbers, and what signs or actions may be watched throughout the patching time.”
While in-the-wild exploitation has not yet been acknowledged outside of the CISA KEV update, the likelihood has been strong as technical details and a Metasploit module were made public shortly after >HPE disclosed the flaw on December 18, 2025.
The original article found on Ni8mare: Kritische n8n-Lücke bedroht 100.000 Server | CSO Online Read More
