Exploit Alert: Actively Targeted HPE OneView Flaw (CVE-2025-37164)
▼ Summary
– CVE-2025-37164 is an unauthenticated remote code execution vulnerability in certain HPE OneView versions, now actively exploited and listed in CISA’s Known Exploited Vulnerabilities catalog.
– The vulnerability is a code injection flaw via an unsecured REST API endpoint, and exploitation was made easier after public disclosure of technical details and a Metasploit module.
– HPE OneView is a privileged infrastructure management platform, so a successful exploit grants centralized control over servers and data center hardware at scale.
– HPE released hotfixes for the vulnerability on December 16, 2025, and organizations must upgrade to OneView v11.0 as there are no workarounds.
– Due to the platform’s trusted, high-privilege network position, defenders are advised to treat this as an assumed-breach scenario and prioritize immediate patching and access review.
A critical security flaw within HPE’s OneView infrastructure management platform is now under active attack, prompting urgent action from administrators. The vulnerability, tracked as CVE-2025-37164, allows for unauthenticated remote code execution and has been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog. This official designation underscores the immediate threat, as attackers are already leveraging the weakness in real-world incidents.
The swift weaponization of this flaw was predictable. Shortly after its initial disclosure, technical details and a functional Metasploit module became publicly available. This development dramatically lowers the barrier for exploitation, enabling even less sophisticated threat actors to launch attacks. Management platforms are often deployed deep inside the network with broad privileges and minimal monitoring because they’re ‘supposed’ to be trusted. This positioning makes a vulnerability here particularly dangerous.
HPE OneView serves as a centralized command hub for deploying and managing data center hardware and software. Its role in large, automated environments means it holds significant power. Security experts at Rapid7 emphasize the gravity of a breach, noting that successful exploitation isn’t just about establishing remote code execution, it’s about gaining centralized control over servers, firmware, and lifecycle management at scale. An intrusion at this level effectively hands over the keys to the infrastructure kingdom.
The specific issue is a code injection flaw stemming from an insecure REST API endpoint. This design weakness permits attackers to execute arbitrary commands without needing valid login credentials. The vulnerability was responsibly reported by researcher Nguyen Quoc Khanh, leading HPE to release necessary hotfixes on December 16, 2025. Rapid7’s subsequent analysis of these patches clarified the exploit mechanism, and by December 19, a proof-of-concept module was circulating in the Metasploit framework.
HPE has stated that all OneView versions prior to v11.0 are susceptible to this attack. The company’s guidance is unequivocal: organizations must upgrade to the patched version immediately. There are no workarounds nor mitigations available aside from applying the official fix. Security teams are advised to treat any unpatched instance as a potential breach scenario, requiring not just patching but also a review of network segmentation and access controls to limit the blast radius of any compromise.
(Source: HelpNet Security)
