CVE-2025-37164: Critical unauthenticated RCE affecting Hewlett Packard Enterprise OneView

Dec 18 2025

Overview

On December 17, 2025, Hewlett Packard Enterprise (HPE) published an advisory for CVE-2025-37164, a CVSS 10.0 vulnerability in HPE OneView. The vulnerability, which was reported to HPE by security researcher Nguyen Quoc Khanh, facilitates unauthenticated remote code execution (RCE) on versions of HPE OneView before 11.0. Defenders are advised to prioritize upgrading to version 11.0 or applying the emergency hotfixes (HPE OneView virtual appliance hotfix, HPE Synergy hotfix) as soon as possible.

OneView sits at a privileged control plane for enterprise infrastructure, so successful exploitation isn’t just about establishing remote code execution, it’s about gaining centralized control over servers, firmware, and lifecycle management at scale. The real concern here is exposure and trust assumptions. Management platforms are often deployed deep inside the network with broad privileges and minimal monitoring because they’re ‘supposed’ to be trusted. When an unauthenticated RCE shows up in that layer, defenders need to treat it as an assumed-breach scenario, prioritize patching immediately, and review access paths and segmentation.

Update #1: A Rapid7 technical analysis of CVE-2025-37164 has been published on AttackerKB, and a Metasploit module is now available.

hpe_oneview_rce1.png

Hotfix analysis

Rapid7 Labs has begun an initial analysis of the vendor-supplied hotfix HPE_OneView_CVE_37164_Z7550-98077.bin. This hotfix applies a new HTTP rule to the appliance’s webserver to block access to a specific REST API endpoint. This endpoint is /rest/id-pools/executeCommand. Initial inspection of the appliance code indicates this endpoint is reachable without authentication. Rapid7 Labs assesses with a high degree of confidence that this is the access vector for triggering the vulnerability and achieving remote code execution.

Mitigation guidance

According to HPE, CVE-2025-37164 affects HPE OneView versions below 11.0, version 5.20 through version 10.20, unless a security hotfix (HPE OneView virtual appliance hotfix, HPE Synergy hotfix) has been applied.

For the latest mitigation guidance for HPE OneView, please refer to the vendor’s security advisory.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2025-37164 with an unauthenticated vulnerability check expected to be available in today's (December 18) content release.

Updates

  • December 18, 2025: Initial publication.
  • December 19, 2025: Updated to link to the new Rapid7 technical analysis and Metasploit module for CVE-2025-37164.

Read more

  • Emergent Threat Response

Recommended Jobs

Director, People Operations

120 Causeway Street, Boston, MA, United States, 02114 People Strategy
About the team The People Operations team plays a critical role in ensuring our culture scales with our growth. We design and manage core people processes, data systems, and programs that support the employee lifecycle globally, partnering closely...

Enterprise Account Executive (GA)

Remote Location, Peachtree Center, Atlanta, GA, United States, 30301 Sales & BD
Rapid7 is seeking a highly motivated  Enterprise Account Executive in Georgia.  About the role: This is a field sales role covering a set territory of Enterprise accounts. Current residence in Georgia is required.   About the team: The Enterpris...

Account Executive, Enterprise (Illinois)

Remote Location, IL, United States, 62701. Remote Location, IN, United States, 46201 Sales & BD
Rapid7 is seeking a highly motivated  Enterprise Account Executive in Greater Chicago.  About the role: This is a field sales role covering a set territory of Enterprise accounts. Current residence in the Greater Chicago area is required.   Abou...

Enterprise Account Executive (FL)

Remote Location, FL, United States, 32301 Sales & BD
Rapid7 is seeking a highly motivated  Enterprise Account Executive in Florida.  About the role: This is a field sales role covering a set territory of Enterprise accounts. Current residence in Florida is required.   About the team: The Enterpris...

Technical Pre-Sales Specialist

Water Street, Tampa, FL, United States, 33602 Sales Engineering
Job SummaryAs a Technical Pre-Sales Specialist at Rapid7, you'll serve as the foundational technical resource, partnering with our Sales and Business Development teams to engage new and existing customers. You will focus on supporting initial sale...

Senior Product Manager - AI & Data

V celnici 1031/4, Prague, Czechia, 110 00 Product & Engineering
As a Senior Product Manager for Rapid7’s AI & Data Platform, you will define and execute the strategy for how AI and data power the unified experiences of Rapid7’s Command Platform. You’ll lead cross-functional efforts to build the foundational AI...

Search All Jobs