HPE pushes emergency fix for pre-auth RCE bug in management software

HPE has pushed an emergency hotfix for a critical CVSS 10 bug in its IT infrastructure management software OneView – allocated CVE-2025-37164.

The OneView vulnerability affects all versions through v10.20. Exploitation gives full remote code execution, remotely and without authentication. 

No public exploitation has yet been reported. Security researchers at Rapid7 however commented that “when an unauthenticated RCE shows up in that layer, defenders need to treat it as an assumed-breach scenario, prioritize patching immediately, and review access paths and segmentation.”

Critical HPE OneView vulnerability  CVE-2025-37164.

Analysing the patch Rapid7’s team said that it “applies a new HTTP rule to the appliance’s webserver to block access to a specific REST API endpoint. This endpoint is /rest/id-pools/executeCommand. Initial inspection of the appliance code indicates this endpoint is reachable without authentication.

"Rapid7 Labs assesses with a high degree of confidence that this is the access vector for triggering the vulnerability and achieving [RCE].”

In an advisory published on December 17, HPE said, "A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution.”

It credited the discovery of the RCE vulnerability to cybersecurity researcher Nguyen Quoc Khanh. 

HPE describes OneView as an “integrated IT infrastructure management software that automates IT operations (...) simplifies infrastructure lifecycle management across compute, storage, and networking.” 

Cybersecurity researchers at Rapid7 said targeting the platform which is a “privileged control plane for enterprise infrastructure” means successful exploitation isn't just about achieving RCE, but gaining “centralized control over servers, firmware, and lifecycle management at scale.” 

HPE has told customers to update their systems to the latest version of OneView 11.0 which addresses the issue. The company also published a security hotfix for versions 5.20 through 10.20.