Threat Management, Vulnerability Management, Threat Intelligence, Patch/Configuration Management

Max-severity HPE OneView bug added to CISA list of exploited flaws

(Credit: Sundry Photography – stock.adobe.com)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) placed a maximum-severity HPE OneView bug on its Known Exploited Vulnerabilities (KEV) catalog on Jan. 7.

HPE warned Dec. 16 that teams should apply a security hotfix to HPE OneView to repair the flaw, CVE-2025-37164, adding on Jan. 7 that teams should upgrade to OneView version 11.00 or later.

Now that the flaw has been actively exploited in the wild following the release by Rapid7 of proof-of-concept code, security pros said teams should consider this a “patch now” moment because HPE OneView operates as the orchestration layer for hundreds if not thousands of large enterprises with more than 10,000 users.

“When CISA adds something to the KEV catalog, it means someone is actively using this in the wild,” said Doug McKee, director of vulnerability intelligence at Rapid 7. “Once public exploit code exists, the barrier to entry drops dramatically, and we have seen time and time again how quickly these turn into real-world compromises.”

Randolph Barr, chief information security officer at Cequence Security, said when hackers breach a platform such as HPE OneView, they not only gain access to a single system, but also penetrate the core operations of the entire environment.

“Management-plane software doesn't get updates in the same manner that endpoints do,” said Barr. “Many businesses use OneView on-prem, often on actual servers, and it works closely with ticketing systems, identity services, and automation workflows. That implies businesses need to act swiftly.”

Chrissa Constantine, senior cybersecurity solution architect at Black Duck, added that it’s a severe vulnerability because it allows unauthenticated remote code execution (RCE) through a publicly reachable REST API endpoint. Constantine said when an API gets accessed without authentication, even a low‑complexity code‑injection flaw becomes a direct path for attackers to take full control of infrastructure.

“API security testing helps catch exactly these kinds of issues, such as unexpected input handling, missing auth checks, and unsafe code paths, before they’re exposed in production,” said Constantine. “Given how central OneView is for managing servers, storage, and networking, this vulnerability doesn’t just compromise an application — it puts the entire environment at risk.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds