HPE tells customers to patch OneView immediately as top-level security flaw spotted

HPE tells customers to patch OneView immediately as top-level security flaw spotted News Sead Fadilpašić published A 10/10 flaw was found in HPE OneView HPE patches critical RCE flaw (CVE‐2025‐37164) in OneView, severity 10/10 Exploitation could allow attackers to reconfigure servers, deploy malware, or create persistent backdoors Users must upgrade to version 11.0 or apply emergency hotfix immediately HPE has patched a maximum-severity vulnerability in its OneView platform which could cause quite several problems to enterprises. HPE OneView is a centralized infrastructure management platform that lets administrators deploy, monitor, and manage HPE servers, storage, and networking through a single software-defined interface. The product is critical in an enterprise environment because it has centralized control over server hardware, firmware, storage, and network configurations. If a cybercriminal gains access, they could reconfigure servers, deploy malicious firmware, disrupt workloads, or create persistent backdoors at the infrastructure level. This could lead to widespread outages, data theft, and long-term compromise that is difficult to detect, and since OneView operates below the operating system layer, traditional security tools may not see or stop the abuse. Upgrades and hotfixes HPE recently published a new security advisory and released a patch, but did not detail the vulnerability other than saying it is a remote code execution (RCE) flaw available to unauthenticated users. The bug is tracked as CVE-2025-37164 and has a severity rating of 10/10 (critical). It affects HPE OneView versions 5-20 through 10.20. "A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software," HPE said in its advisory. "This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution." The key word here is “could” - which means HPE hasn’t seen it abused in the wild yet. However, given its severity and disruptive potential, it is safe to assume that cybercriminals are already looking for ways to put it to work, especially ransomware operators who need sweeping access to be successful. Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! If you are running HPE OneView, you should upgrade to version 11.0 or apply the emergency hotfix without hesitation. OneView virtual appliance and HPE Synergy have separate fixes, it was said. Via The Register ➡️ Read our full guide to the best antivirus 1. Best overall: Bitdefender Total Security 2. Best for families: Norton 360 with LifeLock 3. Best for mobile: McAfee Mobile Security Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button! And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too. Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s...

Preview: ~500 words