Skip to content
Uniqcli

"HPE OneView CVE-2025-37164 (CVSS 10.0): Unauthenticated RCE Now Exploited in the Wild — Patch Guide"

NewsUniqcli TeamJune 11, 20267 min read
"HPE OneView CVE-2025-37164 (CVSS 10.0): Unauthenticated RCE Now Exploited in the Wild — Patch Guide"

HPE OneView is the management plane many organizations use to provision and operate servers, Synergy frames, and converged infrastructure. A flaw there is unusually serious, because OneView holds privileged reach into the hardware it manages. CVE-2025-37164 is exactly that kind of flaw: an unauthenticated remote code execution bug that vendor HPE rates at the maximum CVSS score, that CISA has confirmed is being exploited, and that a botnet is now spraying across the internet at scale.

If you run HPE OneView — including OneView for Synergy and HPE Synergy Composer — this is a drop-everything patch. Here is what the public advisories confirm, and what they do not.

What happened

In mid-December 2025, security researcher Nguyen Quoc Khanh privately disclosed this RCE vulnerability to HPE. The root cause is an exposed REST API endpoint tied to OneView's id-pools functionality (the executeCommand endpoint) that accepts attacker-supplied input without any authentication or authorization check. That gap allows code injection leading to unauthenticated remote code execution.

HPE published advisory hpesbgn04985en_us and released fixes on December 16, 2025. The situation escalated quickly: a Metasploit exploitation module appeared on December 19, 2025, CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog on January 7, 2026, and the Linux-based RondoDox botnet began automated, large-scale exploitation in mid-January. Check Point Research reported recording more than 40,000 exploitation attempts in a roughly four-hour window, with the heaviest activity aimed at government, financial services, and industrial manufacturing organizations — and the United States seeing the highest volume.

Affected products and versions

The vulnerability affects HPE OneView (including Synergy/Composer) in all releases prior to v11.00. Public sources describe the range as 5.20 through 10.20; NVD lists affected versions up to and including 10.20.00.

Product Affected Fixed
HPE OneView (virtual appliance) All versions before v11.00 (5.20 through 10.20) v11.00, or security hotfix applied
HPE OneView for Synergy / HPE Synergy Composer All versions before v11.00 (5.20 through 10.20) v11.00, or Synergy security hotfix applied

If you are already on v11.00 or later, you are not affected.

How serious is it

This is a maximum-severity issue by the vendor's own rating.

  • HPE (vendor CNA) CVSS v3.1: 10.0 Critical — vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.
  • NVD/NIST CVSS v3.1: 9.8 Critical — vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The difference between the two scores comes down to scope (HPE marks scope changed, NIST marks it unchanged); either way it is in the critical band.

The defining characteristics are what make this dangerous: network-reachable, no authentication, low attack complexity, no user interaction, and full confidentiality/integrity/availability impact. An attacker who can reach the OneView management interface can run code on it.

On exploitation there is no ambiguity. CVE-2025-37164 is on the CISA KEV catalog (added January 7, 2026), which means confirmed active exploitation. For US federal civilian agencies, Binding Operational Directive 22-01 set a remediation due date of January 28, 2026. Public exploit code exists (Metasploit), and the RondoDox botnet is actively exploiting it.

Am I exposed?

Work through these checks:

  • Do you run HPE OneView, OneView for Synergy, or HPE Synergy Composer? If yes, confirm the running version. Anything before v11.00 without the hotfix is vulnerable.
  • Is the OneView management interface reachable from untrusted networks? OneView is meant to live on a protected management network. If its web/REST interface is exposed to broader internal networks or the internet, treat exposure as high. Given the scale of the RondoDox campaign, any internet-reachable instance should be considered a likely target.
  • Could it already have been touched? Because public exploitation predates many patch windows, an unpatched OneView should be treated as a possible compromise. Review authentication logs, unexpected processes or accounts, and outbound connections from the appliance. The flaw is a foothold into the management plane, so assume-breach review of downstream systems is prudent.

How to fix it

There are no workarounds or mitigations that substitute for the patch — HPE and CISA both state that no workaround is available. Apply one of the following.

  • Upgrade to HPE OneView v11.00 or later. This is the complete fix and the recommended path. v11.00 is available through HPE's Software Center / Software Depot.
  • If you cannot upgrade immediately, apply the security hotfix. HPE released hotfixes covering OneView 5.20 through 10.20. The hotfix blocks access to the vulnerable REST API endpoint via a new web server rule rather than fully removing the code path.

Important hotfix caveats from HPE's guidance:

  • The hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00.
  • The hotfix must be reapplied after any HPE Synergy Composer reimaging operation.
  • The hotfix is an interim measure. Plan the move to v11.00 so you are not depending on an endpoint block indefinitely.

Alongside patching, restrict OneView's management interface to a dedicated, tightly segmented network and remove any unnecessary exposure. If you find evidence consistent with exploitation, treat the appliance as compromised and follow your incident response process before returning it to service.

How Uniqcli helps

Uniqcli is an authorized HPE, HPE Aruba Networking, and HPE Juniper Networking reseller, and we work with federal, SLED, healthcare, and enterprise teams on exactly this kind of urgent remediation. We can:

  • Assess your exposure — inventory the HPE OneView, Synergy, and Composer instances in your environment, identify versions still below v11.00, and flag any reachable beyond a protected management network.
  • Source patched and replacement hardware — where an upgrade also means refreshing aging Synergy or server hardware, we can quote and supply current, supported configurations.
  • Support the upgrade — help plan and stage the move to OneView v11.00 (and apply the interim hotfix correctly, including the reapply conditions), with minimal disruption.
  • Procure through your vehicle — TAA-compliant sourcing via GSA and SEWP, so federal and SLED buyers can act fast under existing contract paths.

To confirm whether your fleet is exposed to CVE-2025-37164 or to get help executing the upgrade, reach out and we will get you to a verified, patched state.

Sources

Build your HPE bill of materials.

Send us the requirement, the project, or an existing quote to beat. We come back with a validated, TAA-compliant HPE configuration and a real price, often below list.

connect [at] getuniqcli.com · Chicago, IL