CVSS 10.0 HPE OneView RCE bug identified – patch now!

A maximum-severity CVSS 10.0 remote code execution (RCE) vulnerability has been discovered in Hewlett Packard Enterprise OneView, a widely used network management tool that lets enterprises manage servers, storage and network devices from a single interface.

Security pros warned that because HPE OneView software runs as the orchestration layer for the entire data center for hundreds if not thousands of large enterprises with 10,000 or more users, a CVSS 10.0 vulnerability effectively serves as a “keys to the kingdom” exploit.

“I vividly remember during my time at Mandiant, the industry learned a painful lesson during the SolarWinds breach,” said Frankie Sclafani, directory of cybersecurity enablement at Deepwatch. “When you compromise the management plane, you don't need to hack individual servers — you already own them.”

Sclafani explained that by exploiting this unauthenticated RCE flaw, an attacker can move laterally with ease, manipulate storage arrays, or even compromise the root of trust at the hardware level.

In a Dec. 16 advisory, HPE said teams should apply a security hotfix to HPE OneView versions 5.20 through 10.20. They also said the security hotfix must get reapplied after an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00, including any HPE Synergy Composer reimage.

HPE thanked Vietnamese security researcher Nguyen Quoc Khanh (brocked200) for reporting the issue.

Related reading:

While no active exploit has been yet reported, Sclafani said given the low complexity (simple code-injection) of this exploit and the high-value nature of the target, we should expect active exploitation to begin almost immediately.

“The lack of a workaround makes the patching cycle even more urgent,” said Sclafani. “As a reminder, organizations must also be wary of the 'hotfix trap' — if they apply the temporary fix, but later upgrade their Synergy Composer without reapplying it, they effectively re-open the front door for attackers.”

Michael Bell, chief executive officer of Suzu Labs, also confirmed that security teams should patch the HPE OneView flaw immediately. Bell said a CVSS 10.0 in infrastructure management software isn't something teams should schedule for the next maintenance window.

"OneView sits at the center of the data center, managing servers, storage, and networking devices with privileged access to all of them," said Bell. "Compromising OneView means an attacker inherits that same privileged position across the entire infrastructure. The combination of factors here is about as bad as it gets. Unauthenticated access, low-complexity attack, remote code execution, and no workarounds available. That's the vulnerability trifecta that threat actors actively hunt for."

Bell added that we've seen this pattern repeatedly with Ivanti, SonicWall, Fortinet, and other infrastructure management tools. Attackers know these products exist in nearly every enterprise environment and that compromising them offers maximum leverage. Bell said the moment a CVSS 10.0 drops for this class of software, reverse engineering starts immediately.

"The fact that HPE hasn't confirmed exploitation yet doesn't mean much," said Bell. "Many organizations running OneView won't have the visibility to detect compromise, especially if attackers are patient and avoid triggering obvious alerts. By the time we see confirmed exploitation in the wild, the initial wave of opportunistic attacks has likely already happened."