26.12.2025
2 min
442
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a maximum-severity vulnerability in HPE OneView is being actively exploited in real-world attacks. The flaw allows unauthenticated attackers to execute arbitrary code remotely and fully compromise infrastructure management systems.
Tracked as CVE-2025-37164, the vulnerability affects all HPE OneView versions prior to 11.00. It enables unauthenticated remote code execution (RCE) through low-complexity code injection attacks. The issue was discovered by Vietnamese security researcher Nguyen Quoc Khanh, and HPE released security patches in mid-December 2025.
CISA has added CVE-2025-37164 to its Known Exploited Vulnerabilities (KEV) catalog, requiring U.S. federal agencies to remediate the flaw by January 28, 2026, under Binding Operational Directive 22-01. While the directive applies to federal agencies, CISA strongly urges all organizations to patch affected systems immediately.
HPE OneView is a centralized platform used to manage servers, storage, and networking infrastructure across enterprise environments. A compromise of OneView can provide attackers with broad control over an organization’s IT assets. In recent years, HPE has addressed multiple critical vulnerabilities across its product ecosystem, including RCE flaws and authentication bypass issues.
The active exploitation of CVE-2025-37164 highlights the ongoing risk posed by vulnerabilities in infrastructure management platforms. With no available workarounds or mitigations, upgrading to HPE OneView version 11.00 or later is the only effective way to prevent full system compromise.
