HPE patches critical OneView vulnerability enabling unauthenticated remote code execution

Hewlett Packard Enterprise (HPE) has issued fixes for a maximum-severity security vulnerability in its OneView infrastructure management software that could allow unauthenticated remote code execution. The flaw, tracked as CVE-2025-37164, carries a CVSS score of 10.0.

OneView is used to centralize and streamline IT operations across HPE systems through a consolidated dashboard. In an advisory published this week, HPE said: "A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution."

The vulnerability affects all OneView releases prior to version 11.00. HPE has released version 11.00 to address the issue and made available hotfixes for a range of earlier releases.

HPE supplied a hotfix that can be applied to OneView versions 5.20 through 10.20. Administrators should note specific requirements for applying and retaining the hotfix: it must be reapplied after upgrading from version 6.60 or later to version 7.00.00, and it also must be reapplied after any HPE Synergy Composer reimaging operations. Separate hotfixes are provided for the OneView virtual appliance and for Synergy Composer2.

HPE did not state that the vulnerability has been observed in active exploitation. Nonetheless, the company advised customers to apply the provided updates to minimize exposure and protect managed infrastructure.

The disclosure follows other remediation activity by HPE earlier in the year. In June, the company released updates to address eight vulnerabilities in its StoreOnce backup and deduplication solution, some of which could result in authentication bypass and remote code execution. HPE also shipped OneView version 10.00 earlier in the year to remediate several known flaws in third-party components, including Apache Tomcat and Apache HTTP Server.

IT teams running OneView instances should prioritize review and deployment of the fixes. Recommended immediate actions include:

• Confirm the OneView version in use and determine whether it predates 11.00.
• Apply the version 11.00 update or the hotfix provided for versions 5.20 through 10.20 as appropriate.
• If upgrading from 6.60 or later to 7.00.00, plan to reapply the hotfix after the upgrade completes.
• Reapply the hotfix after any HPE Synergy Composer reimaging operations.
• Obtain and apply the separate hotfixes for OneView virtual appliance deployments and for Synergy Composer2, if applicable.

Operators should also follow standard mitigation and validation practices after applying updates: verify successful installation, monitor system logs for anomalous activity, and restrict access to management interfaces where feasible. Where maintenance windows are required, schedule updates as soon as practical to reduce the window of exposure.

HPE’s advisory and the accompanying fixes are intended to address the immediate risk posed by the CVE-2025-37164 vulnerability. Organizations that manage HPE infrastructure with OneView should treat this as a high-priority maintenance item given the severity rating and the potential for unauthenticated remote code execution.

For environments that cannot apply updates immediately, administrators should consider additional compensating controls such as network segmentation, firewall rules to limit access to OneView interfaces, and enhanced monitoring until patches can be installed. As with any critical vulnerability, timely patching remains the most reliable mitigation.

Key Topics

Hpe Oneview Vulnerability, Cve-2025-37164, Unauthenticated Remote Code Execution, Cvss 10.0, Oneview 11.00 Update, Oneview Hotfixes For Versions 5.20 To 10.20, Hpe Synergy Composer Hotfix, Oneview Virtual Appliance Hotfix, Patch Management Best Practices, Infrastructure Management Security, Network Segmentation And Firewall Mitigations, Storeonce Vulnerabilities, Apache Tomcat And Apache Http Server Flaws, Update Verification And Monitoring