Maximum-severity vuln lets unauthenticated attackers execute code on trusted infra management platform

Hewlett Packard Enterprise has told customers to drop whatever they're doing and patch OneView after admitting a maximum-severity bug could let attackers run code on the management platform without so much as a login prompt.

The vulnerability, tracked as CVE-2025-37164 and rated a maximum 10.0 on the CVSS scale, affects HPE OneView versions 5.20 through 10.20 and allows unauthenticated remote code execution, according to an advisory published by the company this week. OneView sits at the heart of many enterprise environments, serving as a central control plane for servers, firmware, storage, and lifecycle management.

"A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software," HPE said in its advisory. "This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution."

HPE said the issue was reported by security researcher Nguyen Quoc Khanh and is urging customers to either upgrade ...