The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has flagged a maximum-severity HPE OneView vulnerability as actively exploited in assaults.
HPE’s OneView infrastructure administration software program helps IT admins automate the administration of storage, servers, and networking units from a centralized interface.
Tracked as CVE-2025-37164, this important safety flaw was reported by Vietnamese safety researcher Nguyen Quoc Khanh (brocked200) to HPE, which launched safety patches in mid-December.
CVE-2025-37164 impacts all OneView variations launched earlier than v11.00 and may be exploited by unauthenticated risk actors by low-complexity code-injection assaults to realize distant code execution on unpatched programs.
“A possible safety vulnerability has been recognized in Hewlett Packard Enterprise OneView Software program. This vulnerability might be exploited, permitting a distant unauthenticated person to carry out distant code execution,” HPE warned on December 16.
There are not any workarounds or mitigations for CVE-2025-37164, so HPE suggested prospects to improve to OneView model 11.00 or later (accessible by HPE’s Software program Heart) as quickly as potential.
CISA has additionally added the vulnerability to its catalog of flaws exploited within the wild, giving Federal Civilian Government Department (FCEB) businesses three weeks to safe their programs by January twenty eighth, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
Regardless that BOD 22-01 targets solely federal businesses, CISA inspired all organizations, together with these within the personal sector, to patch their units in opposition to this actively exploited flaw as quickly as potential.
“Apply mitigations per vendor directions, comply with relevant BOD 22-01 steerage for cloud companies, or discontinue use of the product if mitigations are unavailable,” CISA warned on Wednesday.
“A lot of these vulnerabilities are frequent assault vectors for malicious cyber actors and pose vital dangers to the federal enterprise,” it added.
In July, HPE additionally warned of hardcoded credentials in Aruba Immediate On Entry Factors that might allow attackers to bypass customary machine authentication. One month earlier, it patched eight vulnerabilities in its StoreOnce disk-based backup and deduplication resolution, together with three distant code execution flaws and a critical-severity authentication bypass.
HPE has reported revenues of $30.1 billion in 2024 and has over 61,000 workers worldwide. It offers companies and merchandise to over 55,000 organizations worldwide, together with 90% of Fortune 500 corporations.
Whether or not you are cleansing up outdated keys or setting guardrails for AI-generated code, this information helps your crew construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
