A critical unauthenticated remote code execution vulnerability in HPE OneView, tracked as CVE-2025-37164, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog due to confirmed exploitation in the wild.
Vulnerability Overview
CVE-2025-37164 carries a maximum CVSS v3.1 score of 10.0, enabling attackers to execute arbitrary code via an unsecured REST API endpoint (/rest/id-pools/executeCommand) without authentication. HPE OneView manages enterprise IT infrastructure including servers, storage, and networking, making successful exploitation highly impactful for data center control.
Timeline of Events
HPE disclosed and patched the flaw on December 17-18, 2025, affecting versions 5.20 through 10.20. Public proof-of-concept exploits and a Metasploit module emerged shortly after, leading to rapid real-world attacks. CISA added it to KEV on January 7, 2026, alongside a legacy Microsoft Office flaw, imposing a January 28 federal remediation deadline under BOD 22-01.
Technical Details
The vulnerability stems from improper input validation in the API, allowing code injection through a simple HTTP PUT request with a malicious “cmd” parameter. HPE’s hotfix (HPE_OneView_CVE_37164_Z7550-98077.bin) blocks the endpoint via an Apache rewrite rule in /etc/httpd/conf.d/crypto/dynamic-ssl.conf, returning HTTP 404.
Affected Products and Remediation
- Impacted Versions: HPE OneView 5.20 to 10.20 (physical appliances, virtual appliances, HPE Synergy).
- Fix: Upgrade to 11.0 or apply emergency hotfixes immediately.
- Detection: Use Nuclei templates or vendor scanners; check for anomalous API access logs.
Indicators of Compromise (IOCs)
- Suspicious HTTP PUT requests to /rest/id-pools/executeCommand.
- New processes or persistence mechanisms post-exploitation (e.g., backdoors, lateral movement artifacts).
- Monitor for Metasploit signatures or PoC traffic patterns.
Mitigation Strategies
Prioritize patching HPE OneView instances, especially in internal networks with broad privileges. Implement network segmentation, restrict API exposure, and enable logging for anomaly detection. Scan environments with tools like Qualys or Nessus for unpatched systems; review infrastructure templates for over-privileging.
