Max-Severity RCE Patched in HPE OneView (CVE-2025-37164)

[Update] January 9, 2026: CISA Adds HPE OneView Bug CVE-2025-37164 to the KEV Catalog

Hewlett Packard Enterprise (HPE) has recently addressed a serious security issue affecting its OneView software, a platform widely used to manage and automate IT infrastructure from a centralized interface. The flaw, tracked as CVE-2025-37164 and rated maximum severity, allows an attacker to execute code remotely without authentication under certain conditions.

This blog aims to answer what the vulnerability is, which versions are affected, how exploitation could impact enterprise environments, and what actions administrators should take next.

What Is CVE-2025-37164?

According to HPE, CVE-2025-37164 (CVSS 10.0) could allow an unauthenticated attacker to achieve Remote Code Execution (RCE). In practical terms, this means an attacker could potentially run arbitrary commands on the affected system without valid credentials.

A CVSS score of 10.0 reflects a combination of factors: a network-based attack vector, low attack complexity, no required privileges, and high impact on confidentiality, integrity, and availability. Vulnerabilities with this rating are typically prioritized for immediate remediation because successful exploitation could result in full system compromise.

Which HPE OneView Versions Are Affected?

HPE has confirmed that all versions of OneView up to and including v10.20 are impacted. Version 11.00 resolves the issue fully.

For organizations that cannot immediately upgrade, HPE has released security hotfixes applicable to versions 5.20 through 10.20, covering both the OneView virtual appliance and HPE Synergy Composer variants.

How Could the HPE OneView Vulnerability Impact Enterprise Environments?

OneView is often deployed in environments managing servers, storage, and networking at scale. If exploited, CVE-2025-37164 could allow attackers to:

• Gain unauthorized control over infrastructure management systems
• Modify configurations or deploy malicious workloads
• Disrupt availability of critical services

Because OneView operates with elevated control over infrastructure components, the downstream impact could extend beyond the management layer.

Is There Evidence of Active Exploitation?

CISA has added the critical CVE-2025-37164 vulnerability in HPE OneView to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. In December, eSentire published a Proof-of-Concept (PoC) exploit for this vulnerability, warning that public PoC availability significantly increases risk for organizations running versions prior to 11.0.

Federal agencies are advised to apply the required fixes by January 28, 2026, in line with Binding Operational Directive 22-01.

How Can Security Teams Improve Visibility Around Similar Risks?

Beyond patching, organizations benefit from better visibility into how critical vulnerabilities emerge and whether they affect exposed assets. SOCRadar’s Cyber Threat Intelligence (CTI) and Attack Surface Management (ASM) capabilities support this effort.

Solutions like SOCRadar help teams track newly disclosed CVEs, related threat activity, and potential exposure across their external attack surface. The CTI module delivers context around exploitation trends, while ASM continuously maps internet-facing assets to identify systems that may be impacted by high-severity issues such as CVE-2025-37164.

What Should You Do Next?

HPE recommends applying the provided security hotfixes or upgrading directly to OneView 11.00. Administrators should also note that certain upgrade paths and Synergy Composer reimaging processes require the hotfix to be reapplied. Alongside patching, organizations may benefit from reviewing network exposure and monitoring for unusual activity related to management interfaces.

For full details and official remediation guidance, refer to HPE’s security bulletin.