HPE OneView RCE bug scores a perfect 10

HPE OneView RCE bug scores a perfect 10

Briefly

"Hewlett Packard Enterprise has told customers to drop whatever they're doing and patch OneView after admitting a maximum-severity bug could let attackers run code on the management platform without so much as a login prompt. The vulnerability, tracked as CVE-2025-37164 and rated a maximum 10.0 on the CVSS scale, affects HPE OneView versions 5.20 through 10.20 and allows unauthenticated remote code execution, according to an advisory published by the company this week."

"OneView sits at the heart of many enterprise environments, serving as a central control plane for servers, firmware, storage, and lifecycle management. "A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software," HPE said in its advisory. "This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution." HPE said the issue was reported by security researcher Nguyen Quoc Khanh and is urging customers to either upgrade to OneView 11.0 or apply the emergency hotfix immediately."

"Rapid7, which has analyzed the vulnerability and the vendor's hotfix, told The Register that the real danger isn't just code execution, but where it happens. OneView is typically deployed deep inside the network with sweeping privileges and minimal scrutiny, because it's assumed to be trustworthy. An unauthenticated RCE at that layer doesn't just open a door it hands over the keys to the building."