HPE OneView Software Flaw: Unauthenticated Remote Code Execution Vulnerability
Hewlett Packard Enterprise (HPE) has addressed a critical security issue in its OneView Software, which could have severe implications if exploited. The vulnerability, assigned the CVE identifier CVE-2025-37164, boasts a CVSS score of 10.0, indicating a high-risk threat.
HPE OneView is a powerful IT infrastructure management tool, offering centralized control and streamlined operations. However, the recently discovered flaw could allow an unauthenticated remote user to execute arbitrary code, posing a significant risk to the system's security.
In a security advisory, HPE warned, 'A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution.' The vulnerability affects all versions of OneView prior to version 11.00, which includes a fix.
To mitigate the issue, HPE has released a hotfix applicable to OneView versions 5.20 through 10.20. However, it's crucial to note that the hotfix needs to be reapplied after upgrading to version 7.00.00 from version 6.60 or later, or after any HPE Synergy Composer reimaging operations. Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2.
Despite HPE's assurance that no known instances of the flaw being exploited in the wild exist, users are strongly advised to apply the patches promptly to ensure optimal protection. This proactive approach is essential to safeguard against potential security breaches.
This isn't the first time HPE has faced such security concerns. Earlier this year, the company addressed eight vulnerabilities in its StoreOnce data backup and deduplication solution, which could lead to authentication bypass and remote code execution. Additionally, HPE released OneView version 10.00 to address known flaws in third-party components like Apache Tomcat and Apache HTTP Server.
For those interested in staying updated, HPE encourages following their Google News, Twitter, and LinkedIn accounts to access exclusive content and stay informed about their latest security measures and product updates.
