CVE-2025-37164: Unauthenticated Remote Code Execution in HPE OneView

Aegiron 7 mins0

Vulnerability Summary

  • Vulnerability Name: Unauthenticated Remote Code Execution in HPE OneView
  • CVE ID: CVE-2025-37164
  • CVSS Score: 10.0 (Critical)
  • Affected Product: HPE OneView
  • Exploitability: Network-based, unauthenticated, no user interaction required
  • Exploit Availability: Publicly achievable; payload-based exploitation is feasible
  • Attack Complexity: Low
  • Privileges Required: None

High-Level Summary

CVE-2025-37164 is a critical security flaw in HPE OneView that allows a remote attacker to execute arbitrary commands on the OneView appliance without logging in. The vulnerability exists due to improper validation and access control in internal request handling. An attacker can deliver a malicious payload directly to the exposed service and force the system to execute it with high privileges.

Because OneView is typically used to manage and control core infrastructure components, exploitation can result in complete loss of control over servers, storage, and networking managed by the platform.

Payload-Based Exploitation Details

If a payload is added as part of the attack, the vulnerability can be abused in a more structured and dangerous way:

  • The attacker crafts a network request containing a malicious payload (for example, command execution instructions or a script).
  • This payload is processed by a vulnerable internal component that does not enforce authentication checks.
  • The system executes the payload as if it were a trusted administrative command.

Payloads could be used to:

  • Spawn a reverse shell or command shell
  • Create persistent backdoors or hidden admin users
  • Download and execute additional malicious tools
  • Modify system configurations or disable logging
  • Implant malware for long-term access

Once a payload is successfully executed, the attacker effectively owns the OneView appliance.

What Happens After Successful Exploitation

If exploited, the attacker may be able to:

  • Fully compromise the OneView management appliance
  • Control or disrupt all infrastructure managed by OneView
  • Shut down, reconfigure, or wipe servers remotely
  • Access sensitive credentials, certificates, and configuration data
  • Use OneView as a pivot point to attack other internal systems
  • Maintain persistent access even after reboots

In real-world environments, this could translate to large-scale outages, data exposure, operational sabotage, or ransomware deployment.

Why This Vulnerability Is High Risk

  • No credentials or prior access are needed
  • Exploitation can be automated and rapid
  • Management systems are highly trusted and powerful
  • Traditional perimeter defenses may not detect abuse
  • There is no effective mitigation other than patching

Official Patching and Remediation for CVE-2025-37164 (HPE OneView)

Affected Versions

The following releases of HPE OneView are vulnerable and require immediate attention:

  • HPE OneView 5.20
  • HPE OneView 6.x
  • HPE OneView 7.x
  • HPE OneView 8.x
  • HPE OneView 9.x
  • HPE OneView 10.x

All of these versions contain the flaw that allows unauthenticated remote command execution if the management interface is reachable.

HPE has released security updates to address the critical remote code execution vulnerability in OneView. The fixes include both a full updated version and hotfix packages that can be applied to existing supported releases.

1. Fixed Product Version

  • The vulnerability is fully resolved in HPE OneView version 11.00 and later.
    This is the definitive release that incorporates the security corrections and eliminates the issue.

2. Security Hotfix for Older Versions

  • For installations running HPE OneView versions 5.20 through 10.20, HPE has published security hotfix packages that patch the vulnerability without requiring a full version upgrade.
  • These hotfixes are separate downloads and must be applied to the OneView appliance you are managing.
  • Note that in some upgrade paths (for example when moving from version 6.60 to 7.00, or during an HPE Synergy Composer reimage), the hotfix may need to be reapplied after the upgrade or reimaging process.

3. Download Instructions

  • All official patch files, including the main updated version and the separate hotfix packages, are available from HPE’s My HPE Software Center. You will need your HPE support credentials to log in and access these downloads.

Official patch download page:
https://myenterpriselicense.hpe.com/cwp-ui/product-details/HPE_OV_CVE_37164_Z7550-98077/-/sw_free

On this page you will find the appropriate hotfix binaries for your deployment — including versions specific to the virtual appliance and any Synergy Composer variations.

Final Takeaway

CVE-2025-37164 represents a worst-case scenario vulnerability. If a payload is delivered successfully, an attacker gains full remote command execution on a core infrastructure management system. This can directly lead to total infrastructure compromise, prolonged outages, and severe business impact. Immediate patching or upgrading is essential to eliminate the risk.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.