HPE OneView: Critical vulnerability allows code smuggling from the network

A critical security vulnerability has been discovered in HPE OneView, allowing attackers to inject and execute malicious code. As this is possible from the internet without prior authentication, the vulnerability receives the highest possible risk rating.

HPE's OneView is used for the central management of IT infrastructures such as servers, storage systems, and networks. The vulnerability description from Tuesday briefly states: “A remote code execution problem exists in HPE OneView” (CVE-2025-37164, CVSS 10.0, risk “critical”). A security advisory on the HPE website is hardly more helpful, but at least mentions the conditions: “A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView software. The vulnerability could be exploited, allowing unauthenticated users from the network to execute code remotely.”

HPE does not explain what the vulnerability specifically entails or what attacks might look like. However, all versions before version 11.00, which was recently released, are affected. HPE provides it for download in the HPE Software Center.

Hotfixes for older versions

In addition, HPE will provide hotfixes in the Software Center for older versions of OneView between 5.20 and 10.20. The hotfix must be reapplied after upgrading OneView 6.60.xx to 7.00.00 and also after applying HPE Synergy Composer, the manufacturer adds.

Due to the severity of the security vulnerability, IT managers should download and install the update immediately.

Most recently, administrators had to patch a highly risky security vulnerability in OneView for VMware vCenter with updates. Attackers could thereby escalate their user privileges and execute commands as an administrator. In early 2024, there were also critical security vulnerabilities in HPE OneView, but there due to bundled third-party software such as the Apache HTTP server.

(dmk)