CVE-2025-37164 (CVSS 10.0): Unauthenticated HPE OneView RCE Grants Total Control Over Data Centers
Ddos 
Hewlett Packard Enterprise (HPE) has sounded the alarm on a catastrophic security vulnerability in its flagship infrastructure management software, OneView. The flaw, tracked as CVE-2025-37164, has been assigned a maximum CVSS score of 10.0, indicating that it poses an immediate and total threat to unpatched systems.
The vulnerability allows for Remote Code Execution (RCE) by a user who is entirely unauthenticated.
HPE OneView acts as the automation engine for hybrid cloud environments, managing servers, storage, and networking. A compromise here is effectively a compromise of the data center’s “brain.”
According to the advisory, the flaw allows a remote attacker to execute arbitrary code without ever needing to log in. In practical terms, this means a threat actor could seize control of the management appliance from across the network without stealing a single credential. Once inside, they could potentially disrupt operations, deploy ransomware, or manipulate the physical hardware managed by the software. This vulnerability affects HPE OneView – All versions prior to v11.00.
HPE has released an urgent resolution and is advising all customers to act immediately.
The primary fix is to upgrade the software entirely. “Hewlett Packard Enterprise OneView v11.00 or later addresses this vulnerability,” the company stated. Administrators can download the update via the My HPE Software Center or HPE Synergy Software Releases.
For organizations running older versions (v5.20 through v10.20) that cannot immediately upgrade to v11.00, HPE has released a security hotfix. However, applying this patch comes with a critical instruction that, if ignored, could leave the system exposed.
HPE warns that the hotfix is not persistent across certain upgrades. “The security hotfix must be reapplied after an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00, including any HPE Synergy Composer reimage.”
Administrators are urged to verify their version numbers and apply the patches immediately, as a CVSS 10 vulnerability is often a top priority for ransomware groups and state-sponsored actors.
Donate