Hewlett Packard Enterprise (HPE) has resolved a maximum-severity security flaw in its OneView software that could allow remote code execution if successfully exploited.
This critical vulnerability has been assigned CVE identifier CVE-2025-37164 and has a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems through a central dashboard interface.
“A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. Exploitation of this vulnerability could allow an unauthenticated remote user to execute remote code,” HPE said in an advisory issued this week.
This issue affects all versions of the software prior to version 11.00 that addressed this flaw. The company also provides a hotfix that can be applied to OneView versions 5.20 to 10.20.
Please note that you must reapply the hotfix after upgrading from version 6.60 or later to version 7.00.00 or after performing an HPE Synergy Composer reimaging operation. Separate hotfixes are available for OneView virtual appliance and Synergy Composer2.
Although HPE has not stated that this flaw is being exploited, it is important for users to apply the patch as soon as possible for optimal protection.
Earlier this month, the company also released an update that fixes eight vulnerabilities in its StoreOnce data backup and deduplication solution that could lead to authentication bypass and remote code execution. OneView version 10.00 was also shipped to fix a number of known defects in third-party components such as Apache Tomcat and Apache HTTP Server.
Source link
