Hewlett Packard Enterprise (HPE) has patched a maximum-severity vulnerability in its HPE OneView software program that permits attackers to execute arbitrary code remotely.
OneView is HPE’s infrastructure administration software program that helps IT admins streamline operations and automate the administration of servers, storage, and networking gadgets from a centralized interface.
This vital security flaw (CVE-2025-37164) was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200) to the corporate’s security group.
It impacts all OneView variations launched earlier than v11.00 and could be exploited by unauthenticated menace actors in low-complexity code injection assaults to achieve distant code execution on unpatched methods.
“A possible security vulnerability has been recognized in Hewlett Packard Enterprise OneView Software program. This vulnerability might be exploited, permitting a distant unauthenticated consumer to carry out distant code execution,” HPE warned in a Tuesday advisory.
There are not any workarounds or mitigations for CVE-2025-37164, so admins are suggested to patch weak methods as quickly as doable.
HPE has but to substantiate whether or not this vulnerability has been focused in assaults and says that affected organizations can improve to OneView model 11.00 or later, obtainable by HPE’s Software program Heart, to patch it.
On gadgets operating OneView variations 5.20 by 10.20, the vulnerability could be addressed by deploying a security hotfix, which have to be reapplied after upgrading from model 6.60 or later to model 7.00.00, or after any HPE Synergy Composer reimaging operations.
Separate downloads can be found for the digital equipment security hotfix and the Synergy security hotfix by devoted assist pages.
In June, HPE patched eight vulnerabilities in StoreOnce, its disk-based backup and deduplication resolution, together with a critical-severity authentication bypass and three distant code execution flaws.
One month later, in July, it warned of hardcoded credentials in Aruba On the spot On Entry Factors that would permit attackers to entry the net interface after bypassing commonplace system authentication.
HPE has over 61,000 workers worldwide and has reported revenues of $30.1 billion in 2024. Its services are utilized by over 55,000 organizations worldwide, together with 90% of Fortune 500 corporations.
Damaged IAM is not simply an IT drawback – the influence ripples throughout your entire enterprise.
This sensible information covers why conventional IAM practices fail to maintain up with trendy calls for, examples of what “good” IAM appears like, and a easy guidelines for constructing a scalable technique.
