Full Report
Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in OneView Software that, if successfully exploited, could result in remote code execution. The critical vulnerability, assigned the CVE identifier CVE-2025-37164, carries a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a
Analysis Summary
# Vulnerability: Critical RCE in HPE OneView Software
## CVE Details
- CVE ID: CVE-2025-37164
- CVSS Score: 10.0 (Critical)
- CWE: Not specified in the source material
## Affected Systems
- Products: HPE OneView Software
- Versions: All versions prior to **version 11.00**
- Configurations: N/A
## Vulnerability Description
A critical security flaw exists in HPE OneView Software that allows a remote, unauthenticated user to achieve **Remote Code Execution (RCE)**. This vulnerability resides in HPE's IT infrastructure management software.
## Exploitation
- Status: HPE has patched the flaw; exploitation in the wild is **not mentioned**.
- Complexity: Implied to be low, given the CVSS score of 10.0 and the remote, unauthenticated nature.
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Implied by RCE)
- Integrity: High (Implied by RCE)
- Availability: High (Implied by RCE)
## Remediation
### Patches
- **HPE OneView Version 11.00:** Contains the primary fix for the vulnerability.
- **Hotfixes:** Available for OneView versions **5.20 through 10.20**.
* **Note for Hotfix Users:** If running versions 6.60 or later, the hotfix must be reapplied after upgrading to version 7.00.00, or after any HPE Synergy Composer reimaging operations.
* Separate hotfixes are available for the **OneView virtual appliance** and **Synergy Composer2**.
### Workarounds
- No specific workarounds detailing alternative mitigation steps (other than applying patches/hotfixes) were provided in the source material. Urgent patching is recommended.
## Detection
- Detection methods and specific Indicators of Compromise (IOCs) were **not detailed** in the source material. Administrators should monitor network traffic and system logs for anomalous activity on HPE OneView servers corresponding to post-exploitation activity.
## References
- Vendor Advisory: hpesbgn04985en_us
- Patch Information Link (Advisory Reference): support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1
- Version 11.00 Reference: support.hpe.com/hpesc/public/docDisplay?docId=sd00006817en_us&page=GUID-EE158266-5CA2-4EF6-BDEF-BD4945C38EDA.html
- NVD Link (Defanged): nvd.nist.gov/vuln/detail/CVE-2025-37164