CVE-2025-37164

HPE OneView Remote Code Execution Vulnerability | CISA KEV

CVE-2025-37164 is a critical remote code execution vulnerability in HPE OneView that can be exploited by an unauthenticated remote attacker. HPE rates it as a CVSS 10.0 and lists impacted versions as HPE OneView, all versions through 10.20.

CISA added CVE-2025-37164 to the Known Exploited Vulnerabilities (KEV) catalog on January 7, 2026, indicating evidence of active exploitation and making this an urgent fix-and-verify priority.

Technical Details

Attack surface: HPE does not publish technical exploitation details in the bulletin. Rapid7 analysis indicates a REST API endpoint reachable without authentication may be involved.

Vulnerability type: Code injection leading to unauthenticated remote code execution.

Severity: CVSS 3.1 base score 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

Stop Guessing, Start Proving

HPE OneView CVE-2025-37164 remote code execution attack path visualization
Run a Test Now

NodeZero® Offensive Security Platform – Rapid Response

A Rapid Response test for CVE-2025-37164 launched January 14, 2026. Rapid Response customers can use it to quickly validate exploitability across internal and internet-facing OneView instances and then confirm remediation after applying fixes.

  • Run the Rapid Response test: Run the HPE OneView (CVE-2025-37164) Rapid Response test from the customer portal to identify exploitable instances.
  • Patch immediately: Apply HPE’s security hotfix for affected versions. HPE states the hotfix applies to HPE OneView version 5.20 through version 10.20. HPE also notes the hotfix must be reapplied after an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00, including any HPE Synergy Composer reimage.
  • Re-run the Rapid Response test: Re-test after hotfix application to confirm the target is no longer exploitable.

Note: Third-party guidance commonly frames remediation as upgrading to a fixed major version (11.x) or applying the vendor hotfix. The vendor bulletin itself focuses on the security hotfix path.

Indicators of Compromise (for hunting)

IndicatorTypeDescription
Requests to high-risk OneView REST endpoints (example: /rest/id-pools/executeCommand)Network / WebHPE does not list endpoint IOCs in the bulletin. Rapid7’s analysis discusses REST endpoint exposure as a likely exploitation path; hunt for unusual REST calls from untrusted segments, unusual user agents, and requests containing command-injection patterns.
Unexpected process execution originating from OneView servicesHostLook for OneView web or API processes spawning shells, scripting engines, or system utilities atypical for the appliance baseline.
New or anomalous outbound connections from the OneView applianceNetworkPrioritize new destinations shortly after suspicious REST activity, especially infrastructure used for payload retrieval or interactive shells.

Affected versions and patch

  • Affected: HPE OneView, all versions through 10.20.
  • Fix: Apply HPE’s security hotfix for HPE OneView 5.20 through 10.20, observing HPE’s reapplication requirements after certain upgrade or reimage scenarios.

References

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By