HPE tells customers to patch fast as OneView RCE bug scores a perfect 10

Maximum-severity vuln lets unauthenticated attackers execute code on trusted infra management platform

by · The Register

Hewlett Packard Enterprise has told customers to drop whatever they're doing and patch OneView after admitting a maximum-severity bug could let attackers run code on the management platform without so much as a login prompt.

The vulnerability, tracked as CVE-2025-37164 and rated a maximum 10.0 on the CVSS scale, affects HPE OneView versions 5.20 through 10.20 and allows unauthenticated remote code execution, according to an advisory published by the company this week. OneView sits at the heart of many enterprise environments, serving as a central control plane for servers, firmware, storage, and lifecycle management.

"A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software," HPE said in its advisory. "This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution."

HPE said the issue was reported by security researcher Nguyen Quoc Khanh and is urging customers to either upgrade to OneView 11.0 or apply the emergency hotfix immediately. Separate fixes are available for the OneView virtual appliance and for HPE Synergy deployments.

Rapid7, which has analyzed the vulnerability and the vendor's hotfix, told The Register that the real danger isn't just code execution, but where it happens. OneView is typically deployed deep inside the network with sweeping privileges and minimal scrutiny, because it's assumed to be trustworthy. An unauthenticated RCE at that layer doesn't just open a door – it hands over the keys to the building.

In other words, popping OneView could give an attacker centralized control over large chunks of infrastructure at scale, rather than access to a single compromised box. That makes it a far more attractive target than the average edge-facing server bug.

Rapid7's initial inspection of the hotfix suggests the vulnerability is tied to a specific REST API endpoint exposed by the appliance. The fix works by blocking access to that endpoint at the web server level, and the firm said it has a high degree of confidence that this endpoint is the primary access vector.

HPE has not said whether the flaw is being actively exploited, but history suggests bugs like this don't stay theoretical for long. Highly privileged management platforms are often targeted by ransomware crews and other attackers seeking shortcuts past perimeter defenses.

For now, if you're running a vulnerable version of OneView, patch or upgrade immediately. Rapid7, meanwhile, suggests defenders treat the issue as an assumed-breach scenario, review network segmentation, and stop treating infrastructure management layers as untouchable. ®

Hyperscalers fuel $112B server spending spree in Q3: IDC's latest tracker numbers were brought to you by the letters A and ICarly Page, 15 Dec 2025HPE's server and hybrid cloud revenue go into reverse amid historical hardware splurge: Never mind, says jolly green giant, we’re a networking-centric company nowSimon Sharwood, 05 Dec 2025HPE backs AMD's Helios AI rack with Juniper's scale-up switch: Hardware bundle ties next-gen accelerators to an Ethernet fabric arriving in 2026Dan Robinson, 02 Dec 2025How high-end supercomputer filesystem DAOS can break out of its niche: DAOS needs user education, Nvidia GPU access, and better manageability to growChris Mellor, 24 Nov 2025