Hewlett Packard Enterprise (HPE) disclosed a critical security vulnerability in its OneView infrastructure management software. The flaw, identified as CVE-2025-37164, carries the highest possible CVSS score of 10.0.
This vulnerability enables unauthenticated remote code execution (RCE). An attacker can exploit the flaw without credentials to gain complete control of the management appliance. This access potentially extends to the entire data center managed by the software.
The vulnerability affects all HPE OneView versions prior to v11.00. HPE released an urgent software update to address the issue and strongly advises customers to upgrade immediately.
Failure to upgrade risks a breach that could lead to operational disruption or ransomware deployment. For customers unable to upgrade immediately, a security hotfix is available for older versions, though HPE notes it may require reapplication following certain system updates.