Hewlett Packard Enterprise (HPE) has patched a maximum-severity vulnerability in its HPE OneView software program that allows attackers to execute arbitrary code remotely.
OneView is HPE’s infrastructure administration software program that helps IT admins streamline operations and automate the administration of servers, storage, and networking gadgets from a centralized interface.
This important safety flaw (CVE-2025-37164) was reported by Vietnamese safety researcher Nguyen Quoc Khanh (brocked200) to the corporate’s safety group.
It impacts all OneView variations launched earlier than v11.00 and could be exploited by unauthenticated risk actors in low-complexity code injection assaults to achieve distant code execution on unpatched programs.
“A possible safety vulnerability has been recognized in Hewlett Packard Enterprise OneView Software program. This vulnerability may very well be exploited, permitting a distant unauthenticated consumer to carry out distant code execution,” HPE warned in a Tuesday advisory.
There aren’t any workarounds or mitigations for CVE-2025-37164, so admins are suggested to patch susceptible programs as quickly as attainable.
HPE has but to verify whether or not this vulnerability has been focused in assaults and says that affected organizations can improve to OneView model 11.00 or later, obtainable by means of HPE’s Software program Heart, to patch it.
On gadgets working OneView variations 5.20 by means of 10.20, the vulnerability could be addressed by deploying a safety hotfix, which should be reapplied after upgrading from model 6.60 or later to model 7.00.00, or after any HPE Synergy Composer reimaging operations.
Separate downloads can be found for the digital equipment safety hotfix and the Synergy safety hotfix by means of devoted assist pages.
In June, HPE patched eight vulnerabilities in StoreOnce, its disk-based backup and deduplication resolution, together with a critical-severity authentication bypass and three distant code execution flaws.
One month later, in July, it warned of hardcoded credentials in Aruba Instantaneous On Entry Factors that might permit attackers to entry the net interface after bypassing normal system authentication.
HPE has over 61,000 workers worldwide and has reported revenues of $30.1 billion in 2024. Its services are utilized by over 55,000 organizations worldwide, together with 90% of Fortune 500 corporations.
Damaged IAM is not simply an IT drawback – the influence ripples throughout your complete enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with fashionable calls for, examples of what “good” IAM seems like, and a easy guidelines for constructing a scalable technique.
