CVE-2025-37164

Name of the Vulnerable Software and Affected Versions HPE OneView versions prior to 11.00

Description A critical code injection issue exists in HPE OneView, a centralized management platform for servers, storage, and networking. The flaw stems from improper input handling in a publicly accessible REST API endpoint, allowing unauthenticated remote attackers to bypass authentication and execute arbitrary commands. This can lead to complete system compromise, potentially granting attackers control over core infrastructure components, privilege escalation, data exfiltration, or operational disruption. This issue has been actively exploited in the wild.

Recommendations Update to version 11.00 or later. For versions 5.20 through 10.20, deploy the specific fix; note that this fix must be reapplied after updating from version 6.60 or later to version 7.00.00, or after any system reinstallation using HPE Synergy Composer.