⚠ Actively exploited
Added to CISA KEV on 2026-01-07. Federal agencies required to patch by 2026-01-28. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-37164Code Injection in Packard Enterprise HPE Oneview

CWE-94Code Injection10 documents9 sources
Severity
9.8CRITICALNVD
CNA10.0VulnCheck10.0
EPSS
85.1%
top 0.64%
CISA KEV
KEV
Added 2026-01-07
Due 2026-01-28
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Hewlett Packard Enterprise HPE OneviewHPE Oneview
Timeline
PublishedDec 16
KEV addedJan 7
Latest updateJan 8
KEV dueJan 28
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

A remote code execution issue exists in HPE OneView.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

NVDhpe/oneview10.20.00

🔴Vulnerability Details

3
GHSA
GHSA-6pr3-cx3j-4949: A remote code execution issue exists in HPE OneView2025-12-16
CVEList
CVE-2025-37164: A remote code execution issue exists in HPE OneView2025-12-16
VulnCheck
Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability2025

💥Exploits & PoCs

2
Nuclei
HPE OneView - Remote Code Execution
Metasploit
HPE OneView unauthenticated RCE

🔍Detection Rules

1
Suricata
ET WEB_SPECIFIC_APPS HPE OneView Unauthenticated Remote Code Execution (CVE-2025-37164)2025-12-23

📋Vendor Advisories

1
CISA
Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability2026-01-07

🕵️Threat Intelligence

2
Bleepingcomputer
CISA tags max severity HPE OneView flaw as actively exploited2026-01-08
Bleepingcomputer
HPE warns of maximum severity RCE flaw in OneView software2025-12-18
CVE-2025-37164 — Code Injection | cvebase