CVE-2025-37164, with a maximum CVSS score of 10, has been identified as a remote code execution (RCE) vulnerability in OneView. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, emphasizing the urgency of the situation. HPE released a hotfix for all affected versions of the software, ranging from 5.20 to 10.20, following its disclosure on December 17.
Security experts have raised concerns about the severity of CVE-2025-37164, highlighting the privileged access OneView has within organizations’ networks. This platform enables administrators to manage various IT assets, including servers, storage systems, and network devices, at an elevated level of control.
Douglas McKee, director of vulnerability intelligence at Rapid7, explains the critical nature of this vulnerability, emphasizing the potential impact of a successful RCE attack on OneView. Infiltrating this software could grant threat actors centralized control over an enterprise’s entire infrastructure, posing significant risks beyond conventional web application vulnerabilities.
Continue reading this story on Dark Reading, a DCN part site >>>
