cbcvebase.
CVE-2025-37164
published 2025-12-16

CVE-2025-37164: A remote code execution issue exists in HPE OneView.

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-01-28
Exploited in the wild
EPSS
89.73%
99.8th percentile
A remote code execution issue exists in HPE OneView.

Affected

2 ranges
VendorProductVersion rangeFixed in
hewlett_packard_enterprisehpe_oneview< 11.0011.00
hpeoneview<= 10.20.00

Detection & IOCsextracted from sources · hover to see the quote

urlGET /rest/version HTTP/1.1
urlPUT /rest/id-pools/executeCommand
path/rest/id-pools/executeCommand
path/rest/version
otherExecutableCommand
sigma
id: CVE-2025-37164
info:
  name: HPE OneView - Remote Code Execution
  author: DhiyaneshDk,garciaizcoa
  severity: critical
  tags: cve,cve2025,hpe,oneview,rce,vkev,kev
http:
- raw:
  - GET /rest/version HTTP/1.1
  - PUT /rest/id-pools/executeCommand HTTP/1.1
matchers:
- type: word
  words: ["ExecutableCommand"]
- type: word
  part: interactsh_protocol
  words: ["dns"]
- type: status
  status: [200]
  • The exploit targets the unauthenticated /rest/id-pools/executeCommand endpoint via HTTP PUT with a JSON body containing a 'cmd' key. Detect PUT requests to this path on HPE OneView instances.
  • Successful exploitation returns a response body containing the string 'ExecutableCommand'. Monitor HTTP 200 responses from /rest/id-pools/executeCommand for this keyword.
  • Exploitation begins with a GET to /rest/version to retrieve the current API version, followed immediately by the PUT to /rest/id-pools/executeCommand. Correlate these two sequential requests from the same source IP.
  • The RondoDox botnet was observed exploiting this vulnerability starting January 7th. Attribute exploitation activity to this botnet when investigating CVE-2025-37164 incidents.
  • Shodan query for exposed HPE OneView instances: html:"HPE" html:"OneView". Use this to identify internet-facing attack surface.
  • The vulnerability is a code injection flaw exploitable by unauthenticated attackers with no user interaction required (low complexity). No X-Auth-Token or session cookie is needed in the exploit request.
  • Some VM product versions of HPE OneView do not enable the vulnerable 'ID Pools' endpoint and are not exploitable. Confirm endpoint availability before concluding a host is vulnerable.
  • Check Point IPS signature name for this threat is 'HPE OneView Remote Code Execution (CVE-2025-37164)'. Use this signature name when querying IPS logs.
  • ·The security hotfix for versions 5.20–10.20 must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations — failure to reapply leaves the system vulnerable again.
  • ·Separate hotfix downloads exist for the virtual appliance and for Synergy Composer deployments — ensure the correct hotfix variant is applied for the deployment type.
  • ·There are no workarounds or mitigations available; patching to v11.00 or applying the vendor hotfix is the only remediation path.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.