CVE-2025-37164
published 2025-12-16CVE-2025-37164: A remote code execution issue exists in HPE OneView.
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2026-01-28
Exploited in the wild
EPSS
89.73%
99.8th percentile
A remote code execution issue exists in HPE OneView.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hewlett_packard_enterprise | hpe_oneview | < 11.00 | 11.00 |
| hpe | oneview | <= 10.20.00 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
id: CVE-2025-37164 info: name: HPE OneView - Remote Code Execution author: DhiyaneshDk,garciaizcoa severity: critical tags: cve,cve2025,hpe,oneview,rce,vkev,kev http: - raw: - GET /rest/version HTTP/1.1 - PUT /rest/id-pools/executeCommand HTTP/1.1 matchers: - type: word words: ["ExecutableCommand"] - type: word part: interactsh_protocol words: ["dns"] - type: status status: [200]
- →The exploit targets the unauthenticated /rest/id-pools/executeCommand endpoint via HTTP PUT with a JSON body containing a 'cmd' key. Detect PUT requests to this path on HPE OneView instances. ↗
- →Successful exploitation returns a response body containing the string 'ExecutableCommand'. Monitor HTTP 200 responses from /rest/id-pools/executeCommand for this keyword. ↗
- →Exploitation begins with a GET to /rest/version to retrieve the current API version, followed immediately by the PUT to /rest/id-pools/executeCommand. Correlate these two sequential requests from the same source IP. ↗
- →The RondoDox botnet was observed exploiting this vulnerability starting January 7th. Attribute exploitation activity to this botnet when investigating CVE-2025-37164 incidents. ↗
- →Shodan query for exposed HPE OneView instances: html:"HPE" html:"OneView". Use this to identify internet-facing attack surface. ↗
- →The vulnerability is a code injection flaw exploitable by unauthenticated attackers with no user interaction required (low complexity). No X-Auth-Token or session cookie is needed in the exploit request. ↗
- →Some VM product versions of HPE OneView do not enable the vulnerable 'ID Pools' endpoint and are not exploitable. Confirm endpoint availability before concluding a host is vulnerable. ↗
- →Check Point IPS signature name for this threat is 'HPE OneView Remote Code Execution (CVE-2025-37164)'. Use this signature name when querying IPS logs. ↗
- ·The security hotfix for versions 5.20–10.20 must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations — failure to reapply leaves the system vulnerable again. ↗
- ·Separate hotfix downloads exist for the virtual appliance and for Synergy Composer deployments — ensure the correct hotfix variant is applied for the deployment type. ↗
- ·There are no workarounds or mitigations available; patching to v11.00 or applying the vendor hotfix is the only remediation path. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6pr3-cx3j-4949: A remote code execution issue exists in HPE OneView
ghsa_unreviewed·2025-12-16
CVE-2025-37164 [CRITICAL] CWE-94 GHSA-6pr3-cx3j-4949: A remote code execution issue exists in HPE OneView
A remote code execution issue exists in HPE OneView.
VulnCheck
Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability
vulncheck·2025·CVSS 10.0
CVE-2025-37164 [CRITICAL] CWE-94 Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability
Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability
Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution.
Affected: Hewlett Packard Enterprise (HPE) OneView
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-37164&date=2025-12-24; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-37164&date=2025-12-25; https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-37164&date=2025-12-26; https://api.vulncheck.com/v3/index/vulnc
CISA
Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability
cisa·2026-01-07·CVSS 9.8
CVE-2025-37164 [CRITICAL] CWE-94 Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability
Vulnerability: Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability
Affected: Hewlett Packard Enterprise (HPE) OneView
Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US ; https://nvd.nist.gov/vuln/detail/CVE-2025-37164
Remediation Due Date: 2026-01-28
Suricata
ET WEB_SPECIFIC_APPS HPE OneView Unauthenticated Remote Code Execution (CVE-2025-37164)
suricata·2025-12-23·CVSS 10.0
CVE-2025-37164 [CRITICAL] ET WEB_SPECIFIC_APPS HPE OneView Unauthenticated Remote Code Execution (CVE-2025-37164)
ET WEB_SPECIFIC_APPS HPE OneView Unauthenticated Remote Code Execution (CVE-2025-37164)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS HPE OneView Unauthenticated Remote Code Execution (CVE-2025-37164)"; flow:established,to_server; http.uri; content:"/rest/id-pools/executeCommand"; fast_pattern; http.request_body; content:"|22|cmd|22 3a|"; http.method; content:"PUT"; reference:url,attackerkb.com/topics/ixWdbDvjwX/cve-2025-37164/rapid7-analysis; reference:cve,2025-37164; classtype:web-application-attack; sid:2066455; rev:1; metadata:affected_product HPE_OneView, attack_target Server, tls_state TLSDecrypt, created_at 2025_12_23, cve CVE_2025_37164, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, updated_at 20
Nuclei
HPE OneView - Remote Code Execution
nuclei·CVSS 9.8
CVE-2025-37164 [CRITICAL] HPE OneView - Remote Code Execution
HPE OneView - Remote Code Execution
HPE OneView contains a remote code execution vulnerability, letting remote attackers execute arbitrary code.
Template:
id: CVE-2025-37164
info:
name: HPE OneView - Remote Code Execution
author: DhiyaneshDk,garciaizcoa
severity: critical
description: |
HPE OneView contains a remote code execution vulnerability, letting remote attackers execute arbitrary code.
impact: |
Remote attackers can execute arbitrary code, potentially leading to full system compromise.
remediation: |
Update to the latest version.
reference:
- https://attackerkb.com/topics/ixWdbDvjwX/cve-2025-37164/rapid7-analysis
metadata:
verified: true
max-request: 2
shodan-query: html:"HPE" html:"OneView"
tags: cve,cve2025,hpe,oneview,rce,vkev,kev
http:
- raw:
- |
GET /rest/version HTTP/1.1
Metasploit
HPE OneView unauthenticated RCE
metasploit·CVSS 9.8
CVE-2025-37164 [CRITICAL] HPE OneView unauthenticated RCE
HPE OneView unauthenticated RCE
This module exploits an unauthenticated RCE vulnerability, CVE-2025-37164, against Hewlett Packard Enterprise (HPE) OneView. All versions below 11.00 are vulnerable (so long as the vendor supplied hotfix has not been applied), however some VM product versions do not enable the vulnerable "ID Pools" endpoint, and are not exploitable.
Checkpoint
19th January – Threat Intelligence Report
blogs_checkpoint·2026-01-19
CVE-2025-37164 19th January – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 19th January – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 19th January, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Spanish energy company Endesa has disclosed a data breach after unauthorized access to a commercial platform used to manage customer information. Media report attackers listed over 1 terabyte of data, including IBANs, for sale.
Belgian hospital AZ Monica has experienced a cyberattack that forced the shutdown of IT systems
Bleepingcomputer
CISA tags max severity HPE OneView flaw as actively exploited
blogs_bleepingcomputer·2026-01-08·CVSS 10.0
CVE-2025-37164 [CRITICAL] CISA tags max severity HPE OneView flaw as actively exploited
## CISA tags max severity HPE OneView flaw as actively exploited
## Sergiu Gatlan
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a maximum-severity HPE OneView vulnerability as actively exploited in attacks.
HPE's OneView infrastructure management software helps IT admins automate the management of storage, servers, and networking devices from a centralized interface.
Tracked as CVE-2025-37164 , this critical security flaw was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200) to HPE, which released security patches in mid-December.
CVE-2025-37164 affects all OneView versions released before v11.00 and can be exploited by unauthenticated threat actors through low-complexity code-injection attacks to gain remote code execution on unp
Checkpoint
22nd December – Threat Intelligence Report
blogs_checkpoint·2025-12-22
CVE-2025-37164 22nd December – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 22nd December – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 22nd December, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
An adult content platform PornHub has disclosed a data breach linked to analytics provider Mixpanel. The breach exposed more than 200 million records related to Premium users, including email addresses, search, watch, and download histories, locations, and associated video details collected prior to 2021. Pornhub stated
Bleepingcomputer
HPE warns of maximum severity RCE flaw in OneView software
blogs_bleepingcomputer·2025-12-18·CVSS 10.0
CVE-2025-37164 [CRITICAL] HPE warns of maximum severity RCE flaw in OneView software
## HPE warns of maximum severity RCE flaw in OneView software
## Sergiu Gatlan
Hewlett Packard Enterprise (HPE) has patched a maximum-severity vulnerability in its HPE OneView software that enables attackers to execute arbitrary code remotely.
OneView is HPE's infrastructure management software that helps IT admins streamline operations and automate the management of servers, storage, and networking devices from a centralized interface.
This critical security flaw ( CVE-2025-37164 ) was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200) to the company's security team.
It affects all OneView versions released before v11.00 and can be exploited by unauthenticated threat actors in low-complexity code injection attacks to gain remote code execution on unpatched syst
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·CVSS 4.9
[MEDIUM] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
# January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
- APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
- Microsoft and SmarterTools lead concerns: These vendors accounte
Greynoiseio
NoiseLetter December 2025
blogs_greynoiseio·CVSS 10.0
[CRITICAL] NoiseLetter December 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_UShttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hpe_oneview_rce.rbhttps://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-37164
2025-12-16
Published
2026-01-07
Added to CISA KEV
Exploited in the wild