Critical remote code execution flaw reported in HPE OneView
Take action: Make sure all HPE OneView systems are isolated from the internet and accessible only from trusted networks. Reach out to HPE for details and plan a quick upgrade to version 11.00 or apply the appropriate hotfix for your current version (5.20-10.20).
Learn More
Hewlett Packard Enterprise is reporting a critical vulnerability in its OneView infrastructure management platform that could enable attackers to execute arbitrary code remotely without any authentication requirements.
HPE OneView serves as a centralized management platform for IT infrastructure components, including servers, storage systems, and network resources.
The vulnerability (link requires login) is tracked as CVE-2025-37164 (CVSS score 10.0), and allows unauthenticated users from the network to execute code remotely. HPE has not provided technical details of the vulnerability or potential attack scenarios.
All versions of HPE OneView prior to version 11.00 are affected.
HPE has released version 11.00, which patches the flaw. Additionally, the company is providing hotfixes for older OneView versions between 5.20 and 10.20 to support organizations that can't upgrade to the latest version. HPE notes that the hotfix must be reapplied after upgrading OneView from version 6.60.xx to 7.00.00, and also after any reimaging of HPE Synergy Composer.
