CVE-2025-37164: Critical unauthenticated RCE affecting Hewlett Packard Enterprise OneView

Dec 18 2025

Overview

On December 17, 2025, Hewlett Packard Enterprise (HPE) published an advisory for CVE-2025-37164, a CVSS 10.0 vulnerability in HPE OneView. The vulnerability, which was reported to HPE by security researcher Nguyen Quoc Khanh, facilitates unauthenticated remote code execution (RCE) on versions of HPE OneView before 11.0. Defenders are advised to prioritize upgrading to version 11.0 or applying the emergency hotfixes (HPE OneView virtual appliance hotfix, HPE Synergy hotfix) as soon as possible.

OneView sits at a privileged control plane for enterprise infrastructure, so successful exploitation isn’t just about establishing remote code execution, it’s about gaining centralized control over servers, firmware, and lifecycle management at scale. The real concern here is exposure and trust assumptions. Management platforms are often deployed deep inside the network with broad privileges and minimal monitoring because they’re ‘supposed’ to be trusted. When an unauthenticated RCE shows up in that layer, defenders need to treat it as an assumed-breach scenario, prioritize patching immediately, and review access paths and segmentation.

Update #1: A Rapid7 technical analysis of CVE-2025-37164 has been published on AttackerKB, and a Metasploit module is now available.

hpe_oneview_rce1.png

Update #2: On January 7, 2026, CVE-2025-37164 was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.

Hotfix analysis

Rapid7 Labs has begun an initial analysis of the vendor-supplied hotfix HPE_OneView_CVE_37164_Z7550-98077.bin. This hotfix applies a new HTTP rule to the appliance’s webserver to block access to a specific REST API endpoint. This endpoint is /rest/id-pools/executeCommand. Initial inspection of the appliance code indicates this endpoint is reachable without authentication. Rapid7 Labs assesses with a high degree of confidence that this is the access vector for triggering the vulnerability and achieving remote code execution.

Mitigation guidance

According to HPE, CVE-2025-37164 affects HPE OneView versions below 11.0, version 5.20 through version 10.20, unless a security hotfix (HPE OneView virtual appliance hotfix, HPE Synergy hotfix) has been applied.

For the latest mitigation guidance for HPE OneView, please refer to the vendor’s security advisory.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2025-37164 with an unauthenticated vulnerability check expected to be available in today's (December 18) content release.

Updates

  • December 18, 2025: Initial publication.
  • December 19, 2025: Updated to link to the new Rapid7 technical analysis and Metasploit module for CVE-2025-37164.
  • January 8, 2026: Updated Overview to add a reference to the CISA KEV list.

Read more

  • Emergent Threat Response

Recommended Jobs

Netsuite Administrator

Remote location, Pune, India, 411001 Product & Engineering
NetSuite Administrator Rapid7 is a publicly traded Cybersecurity company headquartered in Boston, MA with 17 offices around the world. We are excited to be expanding our Global footprint into India and as we build out our internal Application Engi...

Cybersecurity Advisor

19 Chichester St, City Centre, Belfast, United Kingdom, BT1 4JB Security Services
Rapid7 Cybersecurity Advisors partner with customers on vulnerability management, application security, and threat detection and incident response. You will work with customers to increase their resilience against threats through tailored mitigati...

Threat Intelligence Specialist

V celnici 1031/4, Prague, Czechia, 110 00 Threat Intelligence
The Threat Intelligence Specialist is a highly visible, customer-facing role at the center of today’s cyber security landscape. You’ll help enterprise organizations stay ahead of rapidly evolving threats, applying intelligence that directly protec...

Remediation analyst

V celnici 1031/4, Prague, Czechia, 110 00 Security Services
As a Remediation Analyst within our Remediation team, you’ll play a key role in disrupting cyber threats and protecting our customers. You’ll be responsible for the takedown of active threats, working hands-on with modern, industry-leading tools t...

Principal User Experience Researcher

19 Chichester St, City Centre, Belfast, United Kingdom, BT1 4JB Marketing
Principal UX Researcher – Unified Platform and Strategic Insights As a Principal UX Researcher at Rapid7, you will help define how we understand customers and use evidence to guide the evolution of a unified, intelligent security platform. This i...

Senior Product Manager

Remote location, Pune, India, 411001 Product & Engineering
Senior Product Manager – Managed CTEM Are you passionate about helping customers reduce real-world risk instead of just reacting to alerts? Do you want to play a key role in shaping how security teams proactively identify and reduce exposure acros...

Search All Jobs