PT-2025-51738 · Hewlett Packard · Hpe Oneview

Published

2025-12-16

·

Updated

2026-01-13

·

CVE-2025-37164

CVSS v3.1
10
VectorAV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions HPE OneView versions prior to 11.00 HPE OneView versions 5.20 through 10.20
Description HPE OneView contains a remote code execution issue that allows unauthenticated attackers to execute arbitrary code on affected systems. The vulnerability, tracked as CVE-2025-37164, has a CVSS score of 10.0 and is actively being exploited. The vulnerability stems from improper input handling in a REST API endpoint, 
/rest/id-pools/executeCommand
, which is accessible without authentication. Successful exploitation could allow attackers to gain complete control over IT infrastructure. Approximately 55,000 organizations worldwide, including 90% of Fortune 500 companies, utilize HPE OneView, making it a significant target. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and urges immediate patching. A Metasploit exploit module is also available.
Recommendations HPE OneView versions prior to 11.00: Upgrade to version 11.00 or later immediately. HPE OneView versions 5.20 through 10.20: Apply the hotfix provided by HPE, and re-apply it after any updates from version 6.60 or later to version 7.00.00, or after any system reinstallation using HPE Synergy Composer.

Exploit

Fix

RCE

Code Injection

Weakness Enumeration

CWE-94

Related Identifiers

BDU:2025-16117
CVE-2025-37164

Affected Products

Hpe Oneview