Infrastructure at Risk: CISA Flags Max-Severity RCE in HPE OneView

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a formal advisory regarding the active exploitation of a critical vulnerability within HPE OneView, the integrated IT infrastructure management solution by Hewlett Packard Enterprise.

Designed for the centralized administration of servers, storage arrays, and networking hardware, OneView is a cornerstone of modern data centers. The identified flaw, designated as CVE-2025-37164, has been assigned the maximum severity rating on the CVSS scale and is currently being leveraged by adversaries in live incursions.

The vulnerability was unearthed by Vietnamese researcher Nguyen Quoc Khanh (brocked200). Although HPE released remedial patches in mid-December, CISA confirms that a significant number of systems remain exposed and are being actively targeted.

CVE-2025-37164 impacts all iterations of OneView up to and including version 11.00. It empowers an unauthenticated remote attacker to execute arbitrary code on the host server. The assault requires minimal sophistication and facilitates code injection through management interfaces.

On December 16, HPE cautioned that the defect enables remote code execution without the necessity of credentials. Crucially, no temporary workarounds exist to mitigate this risk. The sole effective defense is to upgrade OneView to version 11.00 or higher, available via the official HPE Support Center.

Following confirmation of these exploits, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Pursuant to Binding Operational Directive (BOD) 22-01, U.S. federal civilian executive branch agencies are mandated to remediate the flaw within three weeks, specifically by January 28. While this directive applies formally to government entities, the agency strongly urges all private sector organizations to prioritize this update immediately.

CISA emphasizes that such vulnerabilities frequently serve as opportunistic entry points for broader systemic compromises, posing an existential threat to large-scale infrastructures. If immediate patching is unfeasible, the agency recommends either strict adherence to the manufacturer’s cloud-specific security guidance or the temporary decommissioning of the product.

This incident marks another troubling milestone for HPE in recent months. In July, the firm disclosed the presence of hardcoded credentials in Aruba Instant On access points, which permitted authentication bypass. A month prior, HPE addressed eight vulnerabilities in its StoreOnce backup systems, including multiple flaws facilitating remote code execution and critical security bypasses.

In 2024, Hewlett Packard Enterprise reported a staggering revenue of $30.1 billion. Bolstered by a global workforce exceeding 61,000 employees, its solutions are deployed by over 55,000 organizations worldwide, including approximately 90 percent of the Fortune 500.