Skip to content
View in the app

A better way to browse. Learn more.

hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

CISA flags max-severity bug in HPE OneView amid active exploitation

A max-severity remote code execution (RCE) flaw in HPE’s OneView management platform has been flagged by the Cybersecurity & Infrastructure Security Agency (CISA) for active exploitation. The flaw, tracked as CVE-2025-37164, has been added to CISA’s Known Exploited Vulnerability (KEV) Catalog, days after the company disclosed it with a fix.

“The CVE-2025-37164 OneView vulnerability is severe because it allows unauthenticated remote code execution through a publicly reachable REST API endpoint,” said Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck. “Given how central OneView is for managing servers, storage, and networking, this vulnerability doesn’t just compromise an application – it puts the entire environment at risk. This is why proactive API security assessments are non-negotiable for any system exposing management or automation interfaces.”

HPE has already released advisories and a patch addressing the issue, but enterprises are facing a narrow window to respond before a management-layer compromise turns into full-environment control.

Infrastructure-wide consequences

CVE-2025-37164 is caused by improper input handling in a publicly reachable REST API used by HPE OneView, allowing unauthenticated attackers to execute arbitrary commands on the underlying system. The flaw carries a CVSS score of 10.0, reflecting both the lack of authentication and the direct path to remote code execution, which makes opportunistic scanning and rapid exploitation far more likely.

HPE OneView acts as a single pane of glass for servers, storage, and networking, often integrated with identity systems, ticketing platforms, and automation workflows. An unauthenticated RCE in that layer gives attackers a shortcut straight into the heart of enterprise operations.

“HPW OneView’s position in the company and the vulnerability’s severity score make it bad,” Randolph Barr, chief information security officer at Cequence Security. “When hackers breach a platform such as HPE OneView, they not only gain access to a single system but also penetrate the core operations of the environment.”

Not an ‘apply and move on’ solution

While CISA’s KEV inclusion raised the priority immediately, enterprises can’t treat OneView like a routine endpoint patch. Management-plane software is often deployed on-premises, sometimes on physical servers, and tightly coupled with production workflows. A rushed fix that breaks monitoring, authentication, or integrations can be almost as dangerous as the vulnerability itself.

Barr cautioned that organizations first need to understand how OneView is deployed: whether on physical hardware, as a virtual machine with snapshot support, or in a clustered configuration, before moving to patch. Virtualized setups may allow quicker patch-and-rollback cycles, while older or large on-prem deployments demand careful sequencing and tested backout plans.

“Security teams should be collecting threat intelligence at the same time that they are developing patching strategies,” he said. “That means knowing how the exploit is being utilized, which industries are being targeted, whether attackers are scanning for vulnerable APIs in large numbers, and what signs or actions may be watched throughout the patching time.”

While in-the-wild exploitation has not yet been acknowledged outside of the CISA KEV update, the likelihood has been strong as technical details and a Metasploit module were made public shortly after >HPE disclosed the flaw on December 18, 2025.

View the full article

User Feedback

Recommended Comments

There are no comments to display.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Add a comment...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.