Article Details

HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution. Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, could result in remote code execution. The critical vulnerability, assigned the CVE identifier CVE-2025-37164, carries a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface. "A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution," HPE said in an advisory issued this week. It affects all versions of the software prior to version 11.00, which addresses the flaw. The company has also made available a hotfix that can be applied to OneView versions 5.20 through 10.20. It's worth noting that the hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations. Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2. Although HPE makes no mention of the flaw being exploited in the wild, it's essential that users apply the patches as soon as possible for optimal protection. Earlier this June, the company also released updates to fix eight vulnerabilities in its StoreOnce data backup and deduplication solution that could result in an authentication bypass and remote code execution. It also shipped OneView version 10.00 to remediate a number of known flaws in third-party components, such as Apache Tomcat and Apache HTTP Server.