HPE tells customers to patch fast as OneView RCE bug scores a perfect 10

Hewlett Packard Enterprise has told customers to drop whatever they're doing and patch OneView after admitting a maximum-severity bug could let attackers run code on the management platform without so much as a login prompt. The vulnerability, tracked as CVE-2025-37164 and rated a maximum 10.0 on the CVSS scale, affects HPE OneView versions 5.20 through 10.20 and allows unauthenticated remote code execution, according to an advisory published by the company this week. OneView sits at the heart of many enterprise environments, serving as a central control plane for servers, firmware, storage, and lifecycle management. "A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software," HPE said in its advisory. "This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution." HPE said the issue was reported by security researcher Nguyen Quoc Khanh and is urging customers to either upgrade to OneView 11.0 or apply the emergency hotfix immediately. Separate fixes are available for the OneView virtual appliance and for HPE Synergy deployments. Rapid7, which has analyzed the vulnerability and the vendor's hotfix, told The Register that the real danger isn't just code execution, but where it happens. OneView is typically deployed deep inside the network with sweeping privileges and minimal scrutiny, because it's assumed to be trustworthy. An unauthenticated RCE at that layer doesn't just open a door – it hands over the keys to the building. In other words, popping OneView could give an attacker centralized control over large chunks of infrastructure at scale, rather than access to a single compromised box. That makes it a far more attractive target than the average edge-facing server bug. Hyperscalers fuel $112B server spending spree in Q3 HPE's server and hybrid cloud revenue go into reverse amid historical hardware splurge HPE backs AMD's Helios AI rack with Juniper's scale-up switch How high-end supercomputer filesystem DAOS can break out of its niche Rapid7's initial inspection of the hotfix suggests the vulnerability is tied to a specific REST API endpoint exposed by the appliance. The fix works by blocking access to that endpoint at the web server level, and the firm said it has a high degree of confidence that this endpoint is the primary access vector. HPE has not said whether the flaw is being actively exploited, but history suggests bugs like this don't stay theoretical for long. Highly privileged management platforms are often targeted by ransomware crews and other attackers seeking shortcuts past perimeter defenses. For now, if you're running a vulnerable version of OneView, patch or upgrade immediately. Rapid7, meanwhile, suggests defenders treat the issue as an assumed-breach scenario, review network segmentation, and stop treating infrastructure management layers as untouchable. ®