A severe vulnerability has been identified in the Hewlett Packard Enterprise (HPE) OneView network management suite, which allows for remote code execution by unauthenticated users. This vulnerability is considered critical, with a severity rating of 10, prompting cybersecurity experts to recommend immediate patching.
Curtis Dukes, an executive at the Center for Internet Security, highlighted that the potential for exploitation is high since the flaw affects all recent versions of the OneView suite, a key component in managing IT infrastructure. He cautioned that both nation-state actors and criminal organizations could be actively developing exploits for this vulnerability.
HPE’s advisory detailed that this security issue, identified as CVE-2025-37164, impacts all versions from 5.20 to 10.20. The resolution requires the application of a security hotfix, which needs to be reapplied following any upgrades from HPE OneView version 6.60.xx to 7.00.00, as well as after reimaging any HPE Synergy Composer appliances.
The company has provided specific hotfixes for HPE OneView virtual appliances and HPE Synergy Composer. An HPE representative urged administrators to install these patches immediately, backing the necessity due to the significant risk of exploitation.
Jack Bicer from Action1 called attention to the gravity of the vulnerability, noting the lack of authentication requirements for exploitation, making it imperative to apply patches without delay. Until the fix is implemented, it is advised to limit network access to the OneView management interface to trusted administrative networks only.
OneView is known for its ability to simplify infrastructure lifecycle management via a unified API, facilitating rapid and reliable provisioning of resources across physical, virtual, and containerized systems. Recent vulnerabilities, including one disclosed in June (CVE-2025-37101), have previously raised concerns about the security of the platform, illustrating an escalating risk to organizations utilizing HPE’s solutions.
For more details, you can refer to HPE’s advisory here and find the specific hotfixes for HPE OneView virtual appliance and HPE Synergy Composer respectively.
