How can organizations remediate CVE-2025-37164 in OneView?

Organizations must upgrade to OneView version 11.00 or later, or apply the official security hotfixes. There are no alternative mitigations or workarounds.

Were there any known attacks exploiting this vulnerability at disclosure?

As of disclosure, there were no confirmed in-the-wild exploits, but the flaw’s severity prompted immediate patching due to the high risk of opportunistic attacks.

HPE OneView 2025: Critical Remote Code Execution Flaw Places Global Enterprises at Risk

Q: What is the primary security risk in HPE OneView's recent vulnerability?

The main risk is unauthenticated remote attackers gaining full control over affected systems through arbitrary code execution, threatening entire IT environments.

A critical remote code execution vulnerability in HPE OneView exposes thousands of organizations worldwide, making urgent patching essential to defend IT infrastructure.

Published: January 10, 2026

Share this on:

Executive Summary

In December 2025, Hewlett Packard Enterprise (HPE) disclosed a maximum-severity security vulnerability (CVE-2025-37164) in its HPE OneView infrastructure management software. The flaw enabled unauthenticated remote attackers to execute arbitrary code on affected systems through low-complexity code injection, threatening widespread compromise of connected server, storage, and networking infrastructure. Reported by security researcher Nguyen Quoc Khanh, the vulnerability affected all OneView versions prior to v11.00, with no workarounds or mitigations available aside from applying vendor patches or hotfixes. As of publication, there were no confirmed reports of exploitation in the wild, but the risk to global HPE customers—including many Fortune 500 companies—was considered severe.

The incident highlights the ongoing risks posed by critical remote code execution vulnerabilities in widely-used infrastructure management tools. With attackers regularly scanning for vulnerable systems and exploiting them in supply chain and ransomware campaigns, organizations must prioritize rapid patching and holistic vulnerability management to stay resilient.

Why This Matters Now

This critical vulnerability underscores the persistent threat of RCE flaws in core IT management platforms, which are prized targets for threat actors seeking broad access. With no viable mitigation except urgent patching, organizations that delay updates risk disruptive compromise, regulatory scrutiny, and potentially significant data loss.

Attack Path Analysis

The attacker exploited an unauthenticated remote code execution vulnerability in HPE OneView to achieve initial access. Leveraging this foothold, they likely escalated privileges by executing code under elevated process accounts. With these privileges, the attacker could move laterally across east-west traffic paths within the infrastructure. They established outbound communication with external infrastructure for command and control. Sensitive data could then be exfiltrated through unmonitored egress channels. The final impact could include system disruption, data leakage, or further compromise of IT assets.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

Lowinferred

Impact

Lowinferred

Initial Compromise

Description

Threat actors exploited CVE-2025-37164, an unauthenticated RCE in HPE OneView, to gain a remote foothold without credentials.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2025-37164
CVSS 9.8
A remote code execution vulnerability in HPE OneView allows unauthenticated attackers to execute arbitrary code.
Affected Products:
Hewlett Packard Enterprise OneView – < 11.00
Exploit Status:
exploited in the wild
References:
https://nvd.nist.gov/vuln/detail/CVE-2025-37164 https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-37164

MITRE ATT&CK® Techniques

Initial Access

T1190

Exploit Public-Facing Application

Execution

T1059

Command and Scripting Interpreter

Persistence

T1078

Valid Accounts

Persistence

T1136

Create Account

Lateral Movement

T1021

Remote Services

Defense Evasion

T1562

Impair Defenses

Command and Control

T1105

Ingress Tool Transfer

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Address Commonly Exploited Vulnerabilities

Control ID: 6.2.4

Failure to patch a critical RCE vulnerability in HPE OneView exposed systems to an exploitable flaw, representing a lapse in vulnerability management responsibilities required to protect cardholder data environments.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The persistence of an exploitable remote code execution vulnerability indicates gaps in secure software lifecycle management and technical controls required by a comprehensive cybersecurity policy.

DORA – ICT Risk Management Framework

Control ID: Article 9(2)

Unpatched OneView systems demonstrate inadequacies in the institution’s ICT risk management framework, specifically in the rapid identification and mitigation of severe software vulnerabilities.

CISA Zero Trust Maturity Model (ZTMM) 2.0 – Asset Vulnerability Management

Control ID: Asset Management

Lack of timely mitigation and patching of known RCE vulnerabilities in critical infrastructure components undermines asset management and the zero trust principle of continuous verification.

NIS2 Directive – Cybersecurity Risk-management Measures

Control ID: Article 21

Failure to implement state-of-the-art measures to address known vulnerabilities violates the NIS2 requirement for security of network and information systems.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Information Technology/IT

Critical RCE vulnerability in HPE OneView infrastructure management software exposes IT operations to unauthenticated remote code execution attacks requiring immediate patching.

Health Care / Life Sciences

HPE OneView RCE flaw threatens healthcare infrastructure management systems, potentially compromising HIPAA compliance and critical medical device operations without available workarounds.

Financial Services

Maximum severity remote code execution vulnerability in HPE infrastructure management creates significant risk for financial institutions' centralized server and network operations.

Government Administration

Unauthenticated RCE vulnerability in HPE OneView poses severe threat to government infrastructure management, requiring immediate upgrade to version 11.00 or hotfix deployment.

Sources

HPE warns of maximum severity RCE flaw in OneView softwarehttps://www.bleepingcomputer.com/news/security/hpe-warns-of-maximum-severity-rce-flaw-in-oneview-software/
Verified

HPE Security Bulletin: HPE OneView Remote Code Execution Vulnerabilityhttps://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us

Verified

CISA Known Exploited Vulnerabilities Catalog Entry for CVE-2025-37164https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-37164

Verified

NVD CVE-2025-37164 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-37164

Verified

Frequently Asked Questions

The main risk is unauthenticated remote attackers gaining full control over affected systems through arbitrary code execution, threatening entire IT environments.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Applying Zero Trust segmentation, workload isolation, traffic encryption, egress policy, and inline threat detection would have significantly constrained attacker movement, reduced blast radius, and enhanced detection of malicious activity throughout the attack chain.

Initial Compromise

Control: Cloud Firewall (ACF)

Mitigation: Unauthenticated exploitation attempts detected and blocked at the perimeter.

Privilege Escalation

Control: Threat Detection & Anomaly Response

Mitigation: Unusual process or access activity detected post-compromise.

Lateral Movement

Control: Zero Trust Segmentation

Mitigation: Lateral movement contained and blocked between micro-segmented workloads.

Command & Control

Control: Egress Security & Policy Enforcement

Mitigation: Malicious outbound traffic detected and prevented.

Exfiltration

Control: Encrypted Traffic (HPE)

Mitigation: Unauthorized data exfiltration detectable and encrypted in transit.

Impact (Mitigations)

Rapid detection and response to integrity-impacting events.

Impact at a Glance

Affected Business Functions

Infrastructure Management
IT Operations

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Potential exposure of sensitive infrastructure configurations and administrative credentials.

Recommended Actions

• Segment management interfaces from all untrusted networks using strict Zero Trust microsegmentation.
• Mandate boundary cloud firewalls with granular allow-listing for all infrastructure management tools.
• Enforce continuous anomaly-based threat detection and privilege escalation monitoring across workloads.
• Implement rigorous egress controls with FQDN and application-aware filtering to prevent C2 and data leakage.
• Maintain up-to-date vulnerability management and rapidly apply vendor security hotfixes to critical assets.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

HPE OneView 2025: Critical Remote Code Execution Flaw Places Global Enterprises at Risk

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2025-37164

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Exploit Public-Facing Application

Command and Scripting Interpreter

Valid Accounts

Create Account

Remote Services

Impair Defenses

Ingress Tool Transfer

Potential Compliance Exposure

PCI DSS 4.0 – Address Commonly Exploited Vulnerabilities

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA Zero Trust Maturity Model (ZTMM) 2.0 – Asset Vulnerability Management

NIS2 Directive – Cybersecurity Risk-management Measures

Sector Implications

Information Technology/IT

Health Care / Life Sciences

Financial Services

Government Administration

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads