HPE OneView's CVSS 10.0: An Unauthenticated API Endpoint That Runs Commands
CVE-2025-37164 is a maximum-severity RCE in HPE OneView. An unauthenticated REST API endpoint executes arbitrary commands. 40,000+ exploit attempts on day one.
On this page
There’s a REST API endpoint in HPE OneView that executes commands. It doesn’t require authentication.
That’s the vulnerability. That’s the whole thing.
CVE-2025-37164 has a CVSS score of 10.0 — the maximum — and it’s being actively exploited in the wild. CISA added it to the KEV catalog on January 7, 2026. A Metasploit module was public within three days of disclosure.
What HPE OneView Is
HPE OneView is an infrastructure management platform. It controls servers, firmware deployment, storage provisioning, and lifecycle management across enterprise data centers. Think of it as the control plane for your physical infrastructure.
A compromised OneView instance doesn’t give an attacker one server. It gives them the management layer for potentially every server in the environment — provisioning, firmware updates, configuration, lifecycle operations.
This is the kind of access that makes ransomware operators’ day.
The Vulnerability
The flaw exists in the ID Pools feature of HPE OneView. The REST API endpoint:
/rest/id-pools/executeCommandThis endpoint processes command execution requests. It was reachable without authentication.
An unauthenticated attacker sends a crafted request to this endpoint and achieves arbitrary command execution on the appliance. No credentials. No special headers. No exploit chain. Just a POST request to an endpoint that does exactly what its name suggests.
Affected versions: HPE OneView 5.20 through 10.20
Fixed in: Version 11.0 (full fix) or vendor-supplied hotfixes
CVSS: 10.0 — Network vector, low complexity, no privileges required, no user interaction, high impact across confidentiality/integrity/availability.
Timeline
| Date | Event |
|---|---|
| Pre-December 2025 | Security researcher Nguyen Quoc Khanh discovers the flaw |
| December 16, 2025 | HPE releases hotfixes |
| December 17, 2025 | HPE publishes security advisory |
| December 18, 2025 | Rapid7 publishes technical analysis |
| December 19, 2025 | Metasploit module released |
| January 7, 2026 | CISA adds to KEV catalog |
| January 7, 2026 | 40,000+ automated exploit attempts detected in a single morning |
Three days from advisory to Metasploit module. Twenty-two days from advisory to mass exploitation. That’s the window defenders had.
Mass Exploitation
Check Point reported an active, large-scale exploitation campaign on January 7, 2026 — the same day CISA added it to KEV.
Between 05:45 and 09:20 UTC, over 40,000 attack attempts were recorded. Three and a half hours. The attacks were automated, botnet-driven, and delivered the RondoDox botnet payload.
The targets:
- Government organizations (highest concentration)
- Financial services
- Industrial manufacturing
This isn’t opportunistic scanning. This is organized, automated exploitation at scale, targeting sectors where infrastructure management platforms are most likely deployed.
How the Hotfix Works
The hotfix is revealing. Rather than patching the underlying code, HPE added an HTTP rule to the appliance’s webserver that blocks access to /rest/id-pools/executeCommand.
That tells you something about the fix urgency. The fastest way to stop exploitation was to block the endpoint at the web server layer rather than refactor the application code. The full fix came in version 11.0.
What To Do
1. Check Your Version
If you run HPE OneView, check your version immediately.
Vulnerable: 5.20 through 10.20
Safe: 11.0+ or any version with the hotfix applied
2. Apply the Hotfix or Upgrade
Option A: Upgrade to 11.0 — Full fix, recommended for all environments.
Option B: Apply the hotfix — Available for versions 5.20 through 10.20. Applies to both OneView virtual appliance and HPE Synergy Composer variants.
Important caveats:
- The hotfix must be reapplied after upgrading from 6.60.xx to 7.00.00
- The hotfix must be reapplied after any HPE Synergy Composer reimage
- Version 5.20 may remain vulnerable — HPE’s language is ambiguous
3. Check for Compromise
Look for:
- HTTP requests to
/rest/id-pools/executeCommandin web server logs - Unexpected processes spawned by the OneView appliance
- New user accounts or configuration changes you didn’t make
- Outbound connections to unknown infrastructure
- Signs of RondoDox botnet activity
4. Network Controls
If you can’t patch immediately:
- Block external access to the OneView management interface
- Restrict internal access to authorized admin networks only
- Monitor for requests to
/rest/id-pools/executeCommand - Consider taking the appliance offline until patched
OneView management interfaces should never be internet-facing. If yours is, that’s problem number one.
The Infrastructure Management Problem
This is the same class of issue we keep seeing: management platforms with outsized access that become single points of compromise.
The pattern repeats across vendors:
| Platform | Vulnerability | Impact |
|---|---|---|
| VMware vCenter | CVE-2024-37079 | Data center management |
| Ivanti EPMM | CVE-2026-1281 | Mobile device management |
| Fortinet FortiManager | CVE-2024-47575 | Network device management |
| HPE OneView | CVE-2025-37164 | Server infrastructure management |
Every one of these sits at a management plane that controls dozens or hundreds of downstream systems. Compromising the management layer gives attackers more leverage than compromising any individual managed device.
And every one of these has had critical, actively exploited vulnerabilities in the past two years.
The uncomfortable question: is the management layer itself a net positive for security, or does it just centralize the risk?
The API Endpoint Problem
An endpoint called executeCommand that accepts unauthenticated requests is not a subtle bug. This isn’t a race condition or a memory corruption issue that requires months of research. It’s an open door with a sign on it.
The security industry has been talking about API security for years. OWASP has an API Security Top 10. Companies sell dedicated API security products. And yet we still find /executeCommand endpoints with no authentication in enterprise infrastructure management platforms.
The Metasploit module was ready in three days because the exploit is trivial. The barrier to exploitation is essentially zero.
References
- Rapid7 — CVE-2025-37164: Critical Unauthenticated RCE in HPE OneView
- HPE Security Bulletin — HPESBGN04985
- The Hacker News — HPE OneView Flaw Rated CVSS 10.0
- Help Net Security — HPE OneView Flaw Being Exploited
- Dark Reading — Maximum Severity HPE OneView Flaw Exploited
- CISA KEV Catalog
An API endpoint called “executeCommand” that doesn’t check who’s calling it. Sometimes the vulnerability is exactly what it sounds like.
Related Articles
React2Shell: The CVSS 10.0 That Hit 85,000 Servers
CVE-2025-55182 turned React Server Components into a one-request RCE. Nation-states and criminals moved within hours.
Ivanti Connect Secure Under Mass Exploitation - What We Know So Far
Critical authentication bypass vulnerabilities in Ivanti's VPN appliances are being actively exploited. Here's the timeline, technical details, and what you should do right now.
Ni8mare: n8n's CVSS 10.0 That Hands Over Your Entire Automation Stack
CVE-2026-21858 lets unauthenticated attackers take full control of n8n instances. 100K servers exposed, PoC is public, and your secrets are in the blast radius.