Hewlett Packard Enterprise has fixed a maximum-severity vulnerability in its OneView management software that could allow remote code execution by an unauthenticated attacker. The issue is tracked as CVE-2025-37164.
OneView, an IT infrastructure management product that centralises operations and system control, is affected in all versions prior to version 11.00. HPE has released version 11.00 to address the flaw and provided a hotfix option for OneView releases 5.20 through 10.20.
The vulnerability carries a CVSS score of 10.0. HPE said in an advisory that the flaw could be exploited by a remote unauthenticated user to perform remote code execution.
HPE cautioned that the provided hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00 and after any HPE Synergy Composer reimaging operations. The company also published separate hotfixes for the OneView virtual appliance and for Synergy Composer2.
The vendor did not report exploitation of the flaw in the wild. HPE urged users to apply the patches or hotfixes as soon as possible for optimal protection. Earlier in June the company also released updates to its StoreOnce backup and deduplication solution to address multiple vulnerabilities.