A newly disclosed vulnerability, tracked as CVE‑2025‑37164, affects the Hewlett Packard Enterprise (HPE) OneView product and has been assigned a CVSS score of 10.0. Read this Cybersecurity Threat Advisory for more details and recommended steps to protect your environment.
What is the threat?
CVE‑2025‑37164 is a critical remote code execution (RCE) vulnerability in HPE OneView that allows unauthenticated attackers to execute arbitrary code over the network. A successful exploitation allows threat actors to gain complete control over the OneView management platform, compromise connected servers, networking gear, and infrastructure resources, steal sensitive data or credentials, move laterally across environments, and disrupt critical operations.
Why is it noteworthy?
This flaw has a CVSS score of 10.0. The availability of a public Metasploit module makes the situation even more urgent because it dramatically lowers the skill required to launch the attack and increases the likelihood of exploitation across the internet.
What is the exposure or risk?
OneView is designed for trust and efficiency, which means it typically runs with minimal performance-impacting logging. As a result, organizations may have limited visibility during an attack. Exploitation could give attackers full control of the managed infrastructure, including firmware security keys and direct server access. High trust, broad access, and limited logging make compromises fast and silent.
What are the recommendations?
Barracuda recommends the following actions to secure your infrastructure:
- Apply the official HPE security patch or upgrade to version 11 for all affected OneView instances.
- Restrict network access to the OneView management interface using ACLs and by preventing any exposure to the public internet.
- Implement strict access controls and enforce multi‑factor authentication (MFA) for all administrative accounts.
- Monitor logs and network traffic closely for unusual activity or exploit attempts targeting OneView.
- Review and update incident response plans to ensure rapid containment and recovery should a compromise occur.
References
For more in-depth information about the recommendations, please visit the following links:
- https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US
- https://thehackernews.com/2025/12/hpe-oneview-flaw-rated-cvss-100-allows.html
- https://www.rapid7.com/blog/post/etr-cve-2025-37164-critical-unauthenticated-rce-affecting-hewlett-packard-enterprise-oneview/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
