HPE Patches Critical Flaw in IT Infrastructure Management Software

Tracked as CVE-2025-37164, the critical flaw could allow unauthenticated, remote attackers to execute arbitrary code.

Hewlett Packard Enterprise (HPE) this week announced patches for a critical-severity remote code execution vulnerability in its OneView IT infrastructure management software.

Tracked as CVE-2025-37164 (CVSS score of 10), the security defect can be exploited without authentication, the company notes in a barebones advisory.

HPE makes no mention of the flaw being exploited in the wild, but urges customers to update to a fixed release as soon as possible.

According to HPE, the issue impacts all OneView releases up to version 10.20. The company has released hotfixes for OneView users and recommends updating 6.60.xx iterations to version 7.00 prior to applying the patch. HPE Synergy Composer reimages should also be updated.

The HPE OneView virtual appliance security hotfixes are available on this page, while the HPE Synergy CVE security hotfix can ...