The Cybersecurity and Infrastructure Security Agency (CISA) of the United States of America has raised the alarm about the active exploitation of a critical vulnerability in HPE OneView , an IT infrastructure management system from Hewlett Packard Enterprise.
The issue was discovered by Vietnamese security researcher Nguyen Quoc Hanh (brocked200). HPE released patches in mid-December, but CISA now confirms that some systems remain vulnerable and are being exploited by attackers.
HPE reported on December 16 that the flaw allows unauthenticated remote code execution. However, there are no workarounds to mitigate the risk. The only protection is to update OneView to version 11.00 or later, available through the official HPE download center.
OneView is used for centralized administration of servers, storage systems, and networking equipment. The vulnerability, identified as CVE-2025-37164, has the highest severity rating and is already being exploited by attackers in real-world attacks.
The CVE-2025-37164 vulnerability affects all versions of OneView up to and including 11.00. The vulnerability allows an unauthorized remote attacker to execute arbitrary code on the server. The attack requires little preparation and relies on code injection via management interfaces.
Following confirmation of exploitation, CISA added the vulnerability to its catalog of actively exploited security vulnerabilities. In accordance with BOD 22-01, U.S. federal civilian agencies are required to patch it within three weeks, by January 28. While the requirement formally applies only to government agencies, the agency strongly recommends all organizations, including the private sector, install the patches immediately.
CISA emphasizes that such vulnerabilities regularly provide easy entry points for attacks and pose a serious threat to large infrastructures. If patching is not possible, the agency recommends carefully following the vendor’s recommendations for cloud environments or temporarily discontinuing use of the product.
This isn’t the first alarming incident for HPE in recent times. In July, the company raised the alarm about hard-coded credentials in Aruba Instant On access points that allowed authentication bypasses. A month earlier, HPE fixed eight vulnerabilities in its StoreOnce backup system, including several flaws that could allow remote code execution and a critical security bypass.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
