Comprehensive Threat Exposure Management Platform
CVE-2025-37164 is a critical, maximum-severity remote code execution vulnerability affecting Hewlett Packard Enterprise (HPE) OneView, a centralized infrastructure management platform widely deployed in enterprise data centers worldwide. This CVE-2025-37164 vulnerability was first publicly disclosed on December 16, 2025, and allows completely unauthenticated remote attackers to execute arbitrary code on vulnerable HPE OneView systems over the network without requiring any user interaction or valid credentials. With a CVSS score of 10.0 representing the absolute maximum severity rating, CVE-2025-37164 poses an immediate and severe risk to enterprise infrastructure management operations.
The CVE-2025-37164 vulnerability has been confirmed as actively exploited in the wild, with publicly available proof-of-concept exploit code circulating in security research communities and incorporated into penetration testing frameworks including Metasploit. The combination of maximum severity scoring, confirmed active exploitation, public exploit availability, and the complete absence of authentication requirements creates an extraordinarily dangerous threat landscape for organizations operating vulnerable HPE OneView installations. Due to HPE OneView’s privileged administrative role in managing servers, storage systems, and network infrastructure, successful CVE-2025-37164 exploitation can lead to complete compromise of an organization’s entire managed infrastructure environment.
HPE has officially acknowledged CVE-2025-37164 and released comprehensive remediation guidance including security patches in HPE OneView version 11.0 and emergency hotfixes for earlier affected versions. Critically, HPE has explicitly confirmed that no workarounds exist for CVE-2025-37164, making immediate patching or upgrade the only viable remediation path for protecting vulnerable systems. Organizations are strongly advised to treat CVE-2025-37164 remediation as an emergency priority requiring immediate action, implement strict network access restrictions to HPE OneView management interfaces as interim mitigation, and conduct forensic analysis on any systems that may have been exposed prior to patching.
CVE-2025-37164 is classified as a code injection vulnerability (CWE-94) affecting HPE OneView, a sophisticated centralized infrastructure management platform that enterprises deploy to provide unified administration, monitoring, and automation for servers, storage arrays, and networking equipment across data center environments. The CVE-2025-37164 flaw enables unauthenticated remote attackers to inject and execute arbitrary code on vulnerable HPE OneView appliances over standard network connections, requiring absolutely no user interaction, valid authentication credentials, or any form of authorized access to the management platform.
The vulnerability resides in the /rest/id-pools/executeCommand API endpoint within HPE OneView’s REST API interface. This endpoint was intended for legitimate administrative operations but contains insufficient input validation and sanitization controls, allowing attackers to inject malicious code sequences that are executed with the elevated privileges of the HPE OneView application process. Because HPE OneView operates as a highly privileged infrastructure management platform with administrative access to all managed systems, successful code execution through CVE-2025-37164 effectively grants attackers complete control over the OneView appliance and potentially all infrastructure components managed through it.
CVE-2025-37164 has been assigned the maximum possible CVSS v3 base score of 10.0, reflecting the most severe vulnerability classification in the industry-standard scoring system. This perfect 10.0 score results from the combination of network-based attack vector, low attack complexity requiring minimal technical skill, complete absence of authentication requirements, no user interaction necessary, and catastrophic impact encompassing complete confidentiality, integrity, and availability compromise. The low attack complexity rating indicates that exploitation is straightforward and accessible even to relatively unsophisticated threat actors, significantly broadening the potential attacker population.
The CVE-2025-37164 vulnerability has been confirmed as actively exploited in real-world attacks, elevating the threat from theoretical to immediate operational risk. Security researchers have developed and publicly released proof-of-concept exploit code demonstrating CVE-2025-37164 exploitation, with working exploits incorporated into widely-used penetration testing frameworks including Rapid7’s Metasploit. The public availability of exploitation tools dramatically lowers the barrier for opportunistic attackers to target vulnerable HPE OneView installations through automated scanning and exploitation campaigns.
From a comprehensive impact assessment perspective, successful CVE-2025-37164 exploitation grants attackers complete administrative control over the compromised HPE OneView appliance. This level of access enables threat actors to manipulate infrastructure configurations across all managed systems, potentially misconfiguring critical servers, storage, or network devices to create backdoors or facilitate further compromise. Attackers can deploy additional malware payloads, establish persistent command-and-control channels, exfiltrate sensitive configuration data and credentials for managed infrastructure, or deliberately disrupt critical services by manipulating infrastructure settings or shutting down managed systems.
The strategic positioning of HPE OneView within enterprise network architectures significantly amplifies the CVE-2025-37164 impact potential. Because OneView platforms typically reside in trusted management network segments with privileged access to production infrastructure, successful exploitation may enable lateral movement into otherwise segmented and protected environments. The management credentials and trust relationships that OneView maintains with managed systems create pathways for attackers to pivot from the initially compromised management platform into the broader production infrastructure ecosystem, potentially compromising servers, storage arrays, and network equipment throughout the data center.
Hewlett Packard Enterprise has officially addressed CVE-2025-37164 through multiple remediation options designed to accommodate different organizational deployment scenarios and upgrade timelines. The primary remediation path involves upgrading to HPE OneView version 11.0, which completely resolves the vulnerability by removing access to the vulnerable /rest/id-pools/executeCommand API endpoint. HPE strongly recommends version 11.0 upgrade as the preferred long-term solution for all affected deployments.
For organizations unable to immediately implement the full version 11.0 upgrade, HPE has released emergency security hotfixes including the HPE OneView Virtual Appliance hotfix (HPE_OV_CVE_37164_Z7550-98077) and the HPE Synergy CVE Security Hotfix available through HPE’s official support portals and licensing systems. Organizations implementing these hotfixes must carefully note that the security patches require reapplication after performing certain upgrade operations, including upgrades from HPE OneView version 6.60.xx to 7.00.00 and after any HPE Synergy Composer reimage procedures.
Critically, HPE has explicitly stated that no workarounds exist for CVE-2025-37164, making patching or upgrade the only effective remediation approach. This absence of workaround options eliminates the possibility of configuration-based mitigation and necessitates that organizations prioritize the installation of official security updates as the sole path to eliminating CVE-2025-37164 risk from their environments.
Organizations operating HPE OneView should prioritize upgrading to version 11.0 as the most comprehensive and permanent remediation for CVE-2025-37164. The version 11.0 upgrade addresses the vulnerability through architectural changes that remove the vulnerable API endpoint entirely, providing long-term protection against this vulnerability and potentially related security issues that might affect similar code paths. This upgrade approach represents the strongest defensive posture and is strongly recommended for all HPE OneView deployments regardless of current version.
For organizations unable to immediately schedule and execute the full upgrade to HPE OneView version 11.0 due to change management constraints, maintenance windows, or operational considerations, HPE has released emergency hotfixes that must be deployed without delay. The HPE OneView Virtual Appliance hotfix (HPE_OV_CVE_37164_Z7550-98077) and HPE Synergy CVE Security Hotfix are available through HPE’s official support portals and licensing systems. Organizations implementing these emergency patches must carefully document that hotfixes require reapplication following specific upgrade operations including OneView upgrades from 6.60.xx to 7.00.00 and after HPE Synergy Composer reimage procedures.
Organizations should immediately implement strict network access controls limiting connectivity to HPE OneView management interfaces exclusively to trusted IP addresses from designated administrative workstations or jump hosts. HPE OneView management platforms must never be directly exposed to the internet or accessible from untrusted network segments. Implementing rigorous network segmentation around critical infrastructure management systems reduces the attack surface available for CVE-2025-37164 exploitation and provides defense-in-depth protection even during the window between vulnerability disclosure and patch deployment.
Given the confirmed active exploitation of CVE-2025-37164 in real-world attacks, organizations must conduct thorough forensic analysis on any HPE OneView systems that may have been exposed to network access prior to patch deployment. Security teams should comprehensively review HPE OneView access logs, authentication records, and system audit trails for indicators of suspicious activity, particularly focusing on any unusual requests targeting the /rest/id-pools/executeCommand API endpoint. Any evidence of unauthorized access attempts, successful exploitation, or unexpected system modifications should trigger full incident response procedures including containment, investigation, and remediation activities.
As a precautionary security measure following CVE-2025-37164 remediation, organizations should systematically rotate all credentials, API keys, certificates, and authentication secrets that may have been accessible from potentially compromised HPE OneView systems. This comprehensive credential rotation should encompass administrative accounts for the OneView platform itself, credentials for all managed infrastructure components including servers, storage, and networking equipment, and authentication materials for any integrated systems that HPE OneView connects to for monitoring, automation, or management purposes. The privileged position of OneView within infrastructure management architectures means that compromise could expose a wide range of sensitive authentication materials.
T1190 – Exploit Public-Facing Application: CVE-2025-37164 is exploited through the public-facing HPE OneView management interface accessible over the network. Attackers target the vulnerable /rest/id-pools/executeCommand API endpoint to gain initial access to the infrastructure management platform without requiring any authentication or authorized access.
T1059 – Command and Scripting Interpreter: Successful CVE-2025-37164 exploitation enables attackers to execute arbitrary commands through scripting interpreters on the compromised HPE OneView system.
T1059.004 – Unix Shell: The code injection vulnerability allows attackers to execute arbitrary Unix shell commands on the underlying Linux-based HPE OneView appliance operating system, providing complete command execution capabilities with the privileges of the application process.
T1068 – Exploitation for Privilege Escalation: While CVE-2025-37164 itself provides unauthenticated remote code execution, the execution occurs with the elevated privileges of the HPE OneView application, effectively providing immediate privilege escalation from no access to highly privileged infrastructure management capabilities.
T1588 – Obtain Capabilities: Threat actors exploiting CVE-2025-37164 must first obtain exploitation capabilities including knowledge of the vulnerability and functional exploit code.
T1588.006 – Vulnerabilities: Attackers leveraging CVE-2025-37164 specifically acquire knowledge of this critical code injection vulnerability and develop or obtain exploit code capable of triggering the vulnerability through crafted API requests to the vulnerable endpoint.
https://www.rapid7.com/blog/post/etr-cve-2025-37164-critical-unauthenticated-rce-affecting-hewlett-packard-enterprise-oneview/
https://github.com/rapid7/metasploit-framework/pull/20792
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US
https://myenterpriselicense.hpe.com/cwp-ui/productdetails/HPE_OV_CVE_37164_Z7550-98077/-/sw_free
https://support.hpe.com/connect/s/softwaredetails?collectionId=MTX64daeb5ed0df44a0&tab=releaseNotes
Get through updates and upcoming events, and more directly in your inbox