HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

However, a critical security flaw has been identified in HPE OneView Software, which could result in remote code execution if exploited.

The vulnerability, assigned the CVE identifier CVE-2025-37164, carries a CVSS score of 10.0 and affects all versions of the software prior to version 11.00.

Fortunately, HPE has resolved the issue and made available a hotfix that can be applied to OneView versions 5.20 through 10.20.

What is HPE OneView?

HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface.

It’s designed to simplify the management of IT infrastructure, making it easier to monitor and control systems, networks, and storage.

How to Fix the Vulnerability?

Users can apply the hotfix to OneView versions 5.20 through 10.20 to remediate the vulnerability.

It’s worth noting that the hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations.

Additional Security Measures

Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2.

Although HPE makes no mention of the flaw being exploited in the wild, it’s essential that users apply the patches as soon as possible for optimal protection.

Previous Security Updates

Earlier this June, HPE released updates to fix eight vulnerabilities in its StoreOnce data backup and deduplication solution that could result in an authentication bypass and remote code execution.

The company also shipped OneView version 10.00 to remediate a number of known flaws in third-party components, such as Apache Tomcat and Apache HTTP Server.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Source: Link