HPE OneView 存在 CVE-2025-37164 远程代码执行漏洞,CVSS 评分 10.0,影响所有版本至 10.20。CISA 已将其列为已知被利用漏洞。攻击者可通过未认证 REST API 端点进行代码注入。建议立即应用 HPE 安全热补丁,并在升级后重新应用以确保修复有效。 2026-1-14 18:18:15 Author: horizon3.ai(查看原文) 阅读量:2 收藏
HPE OneView Remote Code Execution Vulnerability | CISA KEV
CVE-2025-37164 is a critical remote code execution vulnerability in HPE OneView that can be exploited by an unauthenticated remote attacker. HPE rates it as a CVSS 10.0 and lists impacted versions as HPE OneView, all versions through 10.20.
CISA added CVE-2025-37164 to the Known Exploited Vulnerabilities (KEV) catalog on January 7, 2026, indicating evidence of active exploitation and making this an urgent fix-and-verify priority.
Technical Details
Attack surface: HPE does not publish technical exploitation details in the bulletin. Rapid7 analysis indicates a REST API endpoint reachable without authentication may be involved.
Vulnerability type: Code injection leading to unauthenticated remote code execution.
Severity: CVSS 3.1 base score 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Stop Guessing, Start Proving
NodeZero® Offensive Security Platform – Rapid Response
A Rapid Response test for CVE-2025-37164 launched January 14, 2026. Rapid Response customers can use it to quickly validate exploitability across internal and internet-facing OneView instances and then confirm remediation after applying fixes.
- Run the Rapid Response test: Run the HPE OneView (CVE-2025-37164) Rapid Response test from the customer portal to identify exploitable instances.
- Patch immediately: Apply HPE’s security hotfix for affected versions. HPE states the hotfix applies to HPE OneView version 5.20 through version 10.20. HPE also notes the hotfix must be reapplied after an appliance upgrade from HPE OneView version 6.60.xx to 7.00.00, including any HPE Synergy Composer reimage.
- Re-run the Rapid Response test: Re-test after hotfix application to confirm the target is no longer exploitable.
Note: Third-party guidance commonly frames remediation as upgrading to a fixed major version (11.x) or applying the vendor hotfix. The vendor bulletin itself focuses on the security hotfix path.
Indicators of Compromise (for hunting)
| Indicator | Type | Description |
| Requests to high-risk OneView REST endpoints (example: /rest/id-pools/executeCommand) | Network / Web | HPE does not list endpoint IOCs in the bulletin. Rapid7’s analysis discusses REST endpoint exposure as a likely exploitation path; hunt for unusual REST calls from untrusted segments, unusual user agents, and requests containing command-injection patterns. |
| Unexpected process execution originating from OneView services | Host | Look for OneView web or API processes spawning shells, scripting engines, or system utilities atypical for the appliance baseline. |
| New or anomalous outbound connections from the OneView appliance | Network | Prioritize new destinations shortly after suspicious REST activity, especially infrastructure used for payload retrieval or interactive shells. |
Affected versions and patch
- Affected: HPE OneView, all versions through 10.20.
- Fix: Apply HPE’s security hotfix for HPE OneView 5.20 through 10.20, observing HPE’s reapplication requirements after certain upgrade or reimage scenarios.
References
Read about other CVEs
NodeZero® Platform
Implement a continuous find, fix, and verify loop with NodeZero
The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Recognized By
如有侵权请联系:admin#unsafe.sh