Full Report
Maximum-severity vuln lets unauthenticated attackers execute code on trusted infra management platform Hewlett Packard Enterprise has told customers to drop whatever they're doing and patch OneView after admitting a maximum-severity bug could let attackers run code on the management platform without so much as a login prompt.…
Analysis Summary
# Vulnerability: Maximum-Severity Unauthenticated Remote Code Execution in HPE OneView
## CVE Details
- CVE ID: CVE-2025-37164
- CVSS Score: 10.0 (Critical)
- CWE: Not explicitly stated, but context implies flaws allowing remote unauthenticated code execution (e.g., Injection or Insecure Deserialization).
## Affected Systems
- Products: Hewlett Packard Enterprise (HPE) OneView Software
- Versions: Versions 5.20 through 10.20
- Configurations: All deployments of the vulnerable versions, including the OneView virtual appliance and HPE Synergy deployments.
## Vulnerability Description
A critical vulnerability exists within the HPE OneView management platform that allows a remote, unauthenticated attacker to execute arbitrary code on the system. The flaw is believed to be tied to a specific REST API endpoint exposed by the appliance. Because OneView typically possesses deep network access and elevated privileges for infrastructure management, successful exploitation grants an attacker centralized control over core infrastructure components.
## Exploitation
- Status: Status regarding active exploitation is unknown; however, the vendor urges immediate patching, suggesting a high-risk profile. PoC existence is not explicitly confirmed but is implied given the severity and vendor action.
- Complexity: Low (Likely low, given the need for only network access and no authentication).
- Attack Vector: Network (Remote Unauthenticated).
## Impact
Due to the nature of OneView as a centralized management plane:
- Confidentiality: High (Access to sensitive configuration and environment data).
- Integrity: High (Ability to alter infrastructure state/settings).
- Availability: High (Ability to disrupt or take down managed infrastructure).
## Remediation
### Patches
- Immediate action advised: Upgrade to OneView version **11.0**.
- Alternatively, apply the **emergency hotfix** provided by HPE (separate fixes available for the virtual appliance and HPE Synergy deployments).
### Workarounds
- Treat the issue as an assumed-breach scenario.
- Review network segmentation policies governing access to the infrastructure management layer.
- Defenders should cease treating infrastructure management layers (like OneView) as untouchable due to their assumed trust level.
## Detection
- Detection methods derived from Rapid7 analysis suggest the vulnerability is tied to a specific REST API endpoint.
- Indicators of Compromise (IoCs): Monitoring API logs on the OneView appliance for unusual requests targeting the identified vulnerable endpoint.
## References
- Vendor Advisory: hXXps://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1