Critical HPE OneView Flaw Rated CVSS 10.0 Allows Complete System Takeover

Hewlett Packard Enterprise (HPE) has addressed a critical security vulnerability in its OneView software, identified as CVE-2025-37164, which had a maximum severity score of 10.0. This flaw allowed unauthorized remote code execution, posing a significant risk to system management and control. The vulnerability affected all OneView versions prior to 11.00, with HPE providing a patch for versions 5.20 to 10.20. Users upgrading from version 6.60 or later to 7.00.00, or performing certain actions with HPE Synergy Composer, must reapply the fix. Separate patches are available for the OneView virtual appliance and Synergy Composer2. Although there is no evidence of exploitation, HPE urges prompt installation of these updates for optimal security. Additionally, in June, HPE released updates for its StoreOnce backup system to address eight vulnerabilities, including those that could allow security bypass or remote code execution, and updated OneView to version 10.00 to resolve issues in third-party software like Apache Tomcat and Apache HTTP Server.

Stay secure — stay Wavasec. 🔐