Hewlett Packard Enterprise (HPE) this week announced patches for a critical-severity remote code execution vulnerability in its OneView IT infrastructure management software.
Tracked as CVE-2025-37164 (CVSS score of 10), the security defect can be exploited without authentication, the company notes in a barebones advisory.
HPE makes no mention of the flaw being exploited in the wild, but urges customers to update to a fixed release as soon as possible.
According to HPE, the issue impacts all OneView releases up to version 10.20. The company has released hotfixes for OneView users and recommends updating 6.60.xx iterations to version 7.00 prior to applying the patch. HPE Synergy Composer reimages should also be updated.
The HPE OneView virtual appliance security hotfixes are available on this page, while the HPE Synergy CVE security hotfix can be found here.
Rapid7 says:
“This hotfix applies a new HTTP rule to the appliance’s webserver to block access to a specific REST API endpoint. This endpoint is /rest/id-pools/executeCommand. Initial inspection of the appliance code indicates this endpoint is reachable without authentication. Rapid7 Labs assesses with a high degree of confidence that this is the access vector for triggering the vulnerability and achieving remote code execution.”
HPE refrained from releasing technical details on the weakness but credited Nguyen Quoc Khanh for reporting it.
This week, HPE also rolled out fixes for three vulnerabilities in dependencies used in the Telco Service Activator service provisioning and activation software platform.
Tracked as CVE-2025-49146, CVE-2025-55163, and CVE-2025-7962, the issues impact the open source PostgreSQL JDBC driver PgJDBC, the Netty network application framework, and Jakarta Mail.
Successful exploitation of the bugs, the company says, could lead to authentication bypass, denial-of-service (DoS), and Carriage Return Line Feed (CRLF) injection.
All HPE Telco Service Activator versions up to 10.3.2 are affected. Patches for the three security defects were included in version 10.3.3 of the platform.
Neither of these vulnerabilities appears to have been exploited in attacks targeting HPE Telco Service Activator users.
*Updated with information from Rapid7 and to correct affected OneView versions, after HPE updated their advisory.
Related: CISA Warns of Exploited Flaw in Asus Update Tool
Related: SonicWall Patches Exploited SMA 1000 Zero-Day
Related: JumpCloud Remote Assist Vulnerability Can Expose Systems to Takeover
