Critical HPE OneView Vulnerability Exploited in Attacks
securityweekThe maximum-severity code injection flaw can be exploited without authentication for remote code execution.
The US cybersecurity agency CISA on Wednesday warned that a critical-severity vulnerability in the OneView product from Hewlett Packard Enterprise (HPE) has been exploited in attacks.
Tracked as CVE-2025-37164 (CVSS score of 10/10), the security defect was disclosed on December 17, 2025, when HPE released hotfixes for it.
HPE credited Nguyen Quoc Khanh for reporting the bug but refrained from sharing technical information.
“This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution,” HPE said.
According to cybersecurity firm Rapid7, the issue likely impacts a specific REST API endpoint reachable without authentication.
On Wednesday, CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, warning that it has been exploited in the wild.
“Hewlett Packard Enterprise OneView contains a code injection vulnerability that allows a remote unauthenticated user to ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE