HPE tells customers to patch fast as OneView RCE bug scores a perfect 10

Steven

HPE tells customers to patch fast as OneView RCE bug scores a perfect 10

Summary

Hewlett Packard Enterprise has warned customers to urgently patch OneView after disclosing a maximum-severity remote code execution vulnerability (CVE-2025-37164) rated 10.0 on the CVSS scale. The flaw affects OneView versions 5.20 through 10.20 and permits unauthenticated attackers to execute code on the management platform. HPE recommends upgrading to OneView 11.0 or applying the emergency hotfix immediately; separate fixes exist for the virtual appliance and HPE Synergy deployments.

Key Points

  • CVE-2025-37164 is rated CVSS 10.0 — unauthenticated remote code execution on HPE OneView (versions 5.20–10.20).
  • HPE advises immediate action: upgrade to OneView 11.0 or apply the emergency hotfix; distinct fixes for virtual appliance and Synergy.
  • Rapid7’s review suggests the vulnerability is exposed via a specific REST API endpoint; the hotfix blocks that endpoint at the web server level.
  • OneView is typically deployed deep inside networks with broad privileges — a compromise could give attackers centralised control over infrastructure at scale.
  • HPE has not confirmed active exploitation, but security firms urge treating the issue as an assumed breach and reviewing network segmentation and access to management layers.

Context and relevance

This vulnerability matters because management platforms like OneView act as a central control plane for servers, firmware, storage and lifecycle tasks. An unauthenticated RCE at that level is far more dangerous than a single-server bug: it can be used to pivot, deploy ransomware, or take over large swathes of infrastructure quickly. The rapid-availability hotfix and vendor advisory indicate HPE takes the risk seriously; defenders should re-evaluate how trusted internal management systems are segmented and monitored.

Why should I read this?

Short version: if you run OneView, this isn’t a leisurely weekend patch — it’s urgent. Drop what you’re doing, check your OneView version, and patch or upgrade now. Even if you think your management plane is isolated, attackers prize these targets for the big win they give.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/12/19/hpe_oneview_rce_bug/