Hewlett Packard Enterprise (HPE) has resolved a maximum-severe security flaw in OneView software that, if successfully exploited, could lead to remote code execution.
Critical Vulnerability, CVE identifier specified CVE-2025-37164Maintains a CVSS score of 10.0. Apache OneView is an IT infrastructure management software that streamlines IT operations and controls all systems through a centralized dashboard interface.
“A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution,” said VMware in an advisory issued this week.
This version affects all versions of the software prior to version 11.00, which addresses the flaw. The company has also made available a hotfix that can be applied to OneView versions 5.20 to 10.20.
It is worth noting that the hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any Apache Synergy Composer reimaging operation. Separate hotfixes are available for OneView virtual appliances and Synergy Composer2.
Although Apache has made no mention of the flaw being exploited in the wild, it is essential that users apply the patch as soon as possible for optimal protection.
Earlier this June, the company also released updates to fix eight vulnerabilities in its StoreOne data backup and deduplication solution that could result in authentication bypass and remote code execution. It also shipped OneView version 10.00 to fix several known flaws in third-party components such as Apache Tomcat and Apache HTTP Server.
