PoC Available: Unauthenticated HPE OneView RCE (CVSS 10.0) Exploits Hidden ID Pools API

Security researchers have detailed a maximum-severity vulnerability in Hewlett Packard Enterprise’s (HPE) OneView software, revealing how a seemingly obscure feature could allow unauthenticated attackers to seize control of critical infrastructure management systems.

The vulnerability, tracked as CVE-2025-37164, allows for remote code execution (RCE) and affects OneView versions prior to v11.00. While HPE issued a broad advisory, a new technical analysis sheds light on the specific mechanics of the flaw—and why some versions might be more exposed than others.

The flaw, discovered by researcher Nguyen Quoc Khanh (brocked200), resides in the way OneView handles the “ID Pools” feature.

By analyzing the hotfix released by HPE, researchers noticed a specific change to the HTTP configuration file: a rule blocking access to the REST endpoint /rest/id-pools/executeCommand. Digging deeper into the appliance’s code, they discovered that this specific API endpoint was configured with auth-type=”NO_AUTH”, explicitly bypassing authentication checks.

The underlying code for this endpoint was shockingly simple. It accepted a JSON payload containing a command string (cmd) and passed it directly to Runtime.exec, a Java function that executes system commands.

“This method is exactly what it sounds like; the Runtime.exec method is called to execute the provided command string,” the analysis notes.

Interestingly, the path to exploitation wasn’t straightforward for every version. When researchers initially attempted to exploit a standard OneView VM installation, the server responded with a 404 Not Found error, despite the advisory stating broad vulnerability.

The investigation revealed that the vulnerable “ID Pools” feature is not universally enabled.

• HPE OneView for VMs: The feature appears to be present only in the legacy 6.x branch.
• HPE OneView for Synergy: Documentation suggests the feature is present across all versions.

“We suspect that only ‘HPE OneView for VMs’ version 6.x is vulnerable… whereas all unpatched versions of ‘HPE OneView for HPE Synergy’ are vulnerable,” the researchers concluded.

On vulnerable systems where the feature is active, the impact is catastrophic. By sending a simple malicious PUT request, researchers successfully opened a reverse shell.

The attacker gains access as the trm3 user. Crucially, the system’s security configuration leaves this user “unconfined” by SELinux policies, granting the attacker significant freedom to maneuver within the appliance. A Metasploit module for CVE-2025-37164 is available here.

HPE has released OneView v11.00 to address the flaw. For administrators unable to upgrade immediately, hotfixes are available for versions 5.20 through 10.20. Given the “low-complexity” nature of the attack and the availability of exploit details, organizations are urged to apply these updates immediately.

Related Posts:

• CVE-2025-37164 (CVSS 10.0): Unauthenticated HPE OneView RCE Grants Total Control Over Data Centers
• HPE OneView Remote Authentication Bypass Vulnerability
• CVSS 9.8 Alert: Critical Flaws in HPE Insight Remote Support Enable RCE & File Access
• Researcher: 5% of the Monero currency were dug out by Malicious Monero Miners
• HPE Aruba Networking Addresses Severe Vulnerabilities in Access Points