A critical pre-auth RCE bug in HPE’s IT infrastructure management software OneView – allocated CVE-2025-37164 – is now being exploited in the wild. 

The vulnerability stems from the fact that HPE left an undocumented utility API exposed on a public management port without an active session requirement. Exploitation gives a successful attacker “god mode” powers.

Is this CVSS 10 bug a backdoor or a balls-up? Read on… 

This post is for paying subscribers only

Join peers managing over $100 billion in annual IT spend and subscribe to unlock full access to The Stack’s analysis and events.

Subscribe now

Already a member? Sign in