HPE (Hewlett-Packard Enterprise) has issued a high-severity security advisory for HPE OneView, warning of a vulnerability that could allow remote, unauthenticated attackers to execute arbitrary code on affected systems.
HPE OneView is commonly deployed as a centralized management platform with deep visibility and control over compute, storage, and networking infrastructure. Because this vulnerability can be exploited remotely without authentication, a successful attack could give an adversary a direct foothold into enterprise infrastructure environments.
The issue, tracked as CVE-2025-37164, affects all versions of HPE OneView through 10.20. HPE rates the vulnerability at the maximum CVSS v3.1 score of 10.0, reflecting both the ease of exploitation and the potential impact.
HPE has released a security hotfix that addresses the vulnerability across affected OneView versions from 5.20 through 10.20.
Rather than requiring a full platform upgrade, the fix is delivered as a dedicated security update for both OneView virtual appliances and HPE Synergy Composer systems.
Given the severity of the issue, patching should be treated as urgent, especially in environments where management interfaces are reachable from broader internal networks.
One important operational detail is that the hotfix does not permanently persist through certain upgrade paths. If an appliance is upgraded from the 6.60.x release line to 7.00.00, or if a Synergy Composer is reimaged, the security hotfix must be reapplied afterward. Organizations performing routine upgrades should note this to avoid unintentionally reintroducing the vulnerability.
Any organization running HPE OneView should assume exposure until the hotfix has been applied and validated. Administrators can also subscribe to HPE Security Bulletin alerts through their official support channels.
Beyond patching, this disclosure is a reminder to regularly review access controls around infrastructure management platforms and ensure they are isolated from unnecessary network access.
HPE continues to recommend that customers follow established patch management and security review practices to reduce the risk of similar issues going forward.
View the official security bulletin including download links for the hotfix and ongoing updates here.
Leave a Reply