A critical HPE OneView flaw is being exploited in the wild – here’s everything we know so far

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning over a maximum-severity HPE OneView vulnerability which is being actively exploited in the wild.

Tracked as CVE-2025-37164, this is a code injection vulnerability within an unsecured REST API endpoint, the security agency noted, allowing a remote unauthenticated user to perform remote code execution.

HPE OneView is a centralized infrastructure management platform designed to streamline IT operations. It's widely used to deploy, monitor, and manage HPE data center hardware and software from a single global dashboard.

CVE-2025-37164 was first discovered last year by security researcher Nguyen Quoc Khanh, with HPE releasing hotfixes on December 16, 2025.

However, soon after, Rapid7 researchers released a proof-of-concept exploit that would be relatively easy for less-skilled attackers to exploit, and that would potentially grant full control of affected environments.

“OneView sits at a privileged control plane for enterprise infrastructure, so successful exploitation isn’t just about establishing remote code execution, it’s about gaining centralized control over servers, firmware, and lifecycle management at scale,” Rapid7 researchers explained.

“Management platforms are often deployed deep inside the network with broad privileges and minimal monitoring because they’re ‘supposed’ to be trusted."

What to do about the HPE OneView vulnerability

Conor Agnew, head of compliance operations at Closed Door Security, described the CVE as a “very serious vulnerability given the access that OneView has into systems”.

"When attackers exploit this vulnerability, it essentially hands them the keys to the kingdom, where they look trusted, but can have unfiltered access deep into corporate environments to steal data or execute further attacks,” he noted.

CISA advises that when an unauthenticated RCE is detected, defenders should treat it as an assumed-breach scenario, patch immediately, and review access paths and segmentation.

They should prioritize upgrading to version 11.0 or applying the emergency hotfixes - HPE OneView virtual appliance hotfix and HPE Synergy hotfix - as soon as possible, the security agency added.

As feared, the vulnerability has now been exploited in the wild, with CISA adding it to its Known Exploited Vulnerabilities list.

Federal Civilian Executive Branch (FCEB) agencies have been given three weeks to secure their systems.

"Any organizations using the platform should take steps to mitigate the vulnerability as a priority. According to HPE, there are no workaround or mitigations for the vulnerability, so upgrading to the last version of OneView is required to protect against the CVE," Agnew said.

“Organizations are advised to action this as quickly as possible."

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.