CVE-2025-37164
Published: 16 December 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-37164 is a remote code execution vulnerability affecting HPE OneView, stemming from a CWE-94 code injection flaw. Published on 2025-12-16, it carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for complete system compromise.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary code execution on the affected HPE OneView instance, granting high-impact confidentiality, integrity, and availability violations, including scope expansion to other system components.
HPE has issued a security bulletin (hpesbgn04985en_us) detailing the vulnerability, available at support.hpe.com. A Metasploit module for exploitation exists at github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hpe_oneview_rce.rb. Practitioners should consult these advisories for patch availability and mitigation steps.
The vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, signaling real-world exploitation activity.
Details
- CWE(s)
- KEV Date Added
- 07 January 2026
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a critical unauthenticated remote code execution in HPE OneView, a public-facing management application, directly enabling exploitation of public-facing applications.