Ethical Hacking News
A maximum-severity vulnerability in HPE's OneView infrastructure management software has been flagged by CISA as being actively exploited. Organizations are urged to patch their devices against this flaw immediately. The full implications of this update will be discussed in our comprehensive article below.
The US Cybersecurity and Infrastructure Security Agency (CISA) has assigned the highest severity rating to a vulnerability in HPE's OneView software. Malicious actors are actively exploiting this unpatched flaw, which can be exploited through low-complexity code-injection attacks. Many organizations have yet to apply security patches for this critical vulnerability. CISA is urging all organizations, including those in the private sector, to patch their devices against this actively exploited flaw as soon as possible. The vulnerability affects all OneView versions released before version 11.00 and can lead to remote code execution on unpatched systems.
In a pressing cybersecurity update, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has assigned the highest possible severity rating to an unpatched vulnerability in HPE's OneView infrastructure management software. The flaw, tracked as CVE-2025-37164, is currently being actively exploited by malicious actors who seek to compromise systems running unpatched versions of the affected software.
HPE released security patches for this critical vulnerability in mid-December, but it appears that many organizations have yet to apply these updates, leaving them vulnerable to exploitation. The agency has urged all organizations, including those in the private sector, to patch their devices against this actively exploited flaw as soon as possible.
OneView is a centralized interface used by IT administrators to automate the management of storage, servers, and networking devices. This vulnerability affects all OneView versions released before version 11.00 and can be exploited through low-complexity code-injection attacks to gain remote code execution on unpatched systems. There are no workarounds or mitigations available for CVE-2025-37164, making it a significant threat.
The severity of this vulnerability was highlighted by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which has assigned the highest possible severity rating to this flaw. The agency is mandating that federal civilian agencies secure their systems against this actively exploited flaw within three weeks of publication. While BOD 22-01 targets only federal agencies, CISA is urging all organizations to take immediate action to patch their devices.
HPE has been at the center of several high-profile security incidents in recent months. In July, the company warned of hardcoded credentials in its Aruba Instant On Access Points that could enable attackers to bypass standard device authentication. Additionally, HPE patched eight vulnerabilities in its StoreOnce disk-based backup and deduplication solution, including three remote code execution flaws and a critical-severity authentication bypass.
Despite these recent security updates, this new flaw highlights the ongoing need for organizations to prioritize cybersecurity. The binding operational directive issued by CISA in November 2021 has been instrumental in guiding federal agencies through the process of securing their systems against known vulnerabilities. However, it appears that many organizations are still lagging behind in terms of patching and securing their systems.
The increasing number of actively exploited vulnerabilities is a clear indication that organizations must invest more time and resources into cybersecurity. This includes implementing robust patch management processes, conducting regular vulnerability assessments, and staying up-to-date with the latest security software updates.
As the threat landscape continues to evolve, it's essential for organizations to stay vigilant and proactive in their approach to cybersecurity. The consequences of failure can be severe, including data breaches, system compromise, and reputational damage.
In conclusion, this unpatched vulnerability in HPE OneView highlights the ongoing need for organizations to prioritize cybersecurity. CISA has urged all organizations, including those in the private sector, to patch their devices against this actively exploited flaw as soon as possible. By taking proactive steps, organizations can reduce the risk of exploitation and ensure the security of their systems.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Flags-Maximum-Severity-HPE-OneView-Flaw-as-Actively-Exploited-ehn.shtml
Published: Thu Jan 8 01:52:09 2026 by llama3.2 3B Q4_K_M
