HPE tells customers to patch OneView immediately as top-level security flaw spotted

1. Pro
2. Security

HPE tells customers to patch OneView immediately as top-level security flaw spotted News By Sead Fadilpašić published 22 December 2025

A 10/10 flaw was found in HPE OneView

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock) Share Share by:

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google

• HPE patches critical RCE flaw (CVE‑2025‑37164) in OneView, severity 10/10
• Exploitation could allow attackers to reconfigure servers, deploy malware, or create persistent backdoors
• Users must upgrade to version 11.0 or apply emergency hotfix immediately

HPE has patched a maximum-severity vulnerability in its OneView platform which could cause quite several problems to enterprises.

HPE OneView is a centralized infrastructure management platform that lets administrators deploy, monitor, and manage HPE servers, storage, and networking through a single software-defined interface. The product is critical in an enterprise environment because it has centralized control over server hardware, firmware, storage, and network configurations.

If a cybercriminal gains access, they could reconfigure servers, deploy malicious firmware, disrupt workloads, or create persistent backdoors at the infrastructure level. This could lead to widespread outages, data theft, and long-term compromise that is difficult to detect, and since OneView operates below the operating system layer, traditional security tools may not see or stop the abuse.

You may like

• Watch out - this SAP NetWeaver bug has a maximum severity score, and it could target your servers next
• WatchGuard Firebox OS forced to patch worrying security flaw, so update now
• SAP fixes serious security issues - here's how to stay safe

Upgrades and hotfixes

HPE recently published a new security advisory and released a patch, but did not detail the vulnerability other than saying it is a remote code execution (RCE) flaw available to unauthenticated users.

The bug is tracked as CVE-2025-37164 and has a severity rating of 10/10 (critical). It affects HPE OneView versions 5-20 through 10.20.

"A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software," HPE said in its advisory. "This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution."

The key word here is “could” - which means HPE hasn’t seen it abused in the wild yet. However, given its severity and disruptive potential, it is safe to assume that cybercriminals are already looking for ways to put it to work, especially ransomware operators who need sweeping access to be successful.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

If you are running HPE OneView, you should upgrade to version 11.0 or apply the emergency hotfix without hesitation. OneView virtual appliance and HPE Synergy have separate fixes, it was said.

Via The Register

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Show More Comments

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Watch out - this SAP NetWeaver bug has a maximum severity score, and it could target your servers next    WatchGuard Firebox OS forced to patch worrying security flaw, so update now    SAP fixes serious security issues - here's how to stay safe    Microsoft issues emergency Windows server security patch - update now or risk attack    Oracle forced to rush out patch for zero-day exploited in attacks    Fortinet customers told to update immediately following major security issue - here's what we know    Latest in Security Motherboards from Gigabyte, MSI, ASUS, ASRock at risk from new UEFI flaw attack - here's what we know    Trump’s new $900 billion Pentagon funding plan includes ‘enhanced cybersecurity protections’ for Cyber Command - here’s what we know    Amazon is reportedly being deluged with North Korean job applicants eager to break inside its walls    WatchGuard Firebox OS forced to patch worrying security flaw, so update now    NHS England tech provider reveals data breach - DXS International hit by ransomware    Eurostar chatbot security flaws almost left customers exposed to possible security threats    Latest in News Large External SSDs are now cheaper than internal ones as 4TB SATA SSD face extinction due to negligible price difference    Mullvad VPN boosts WireGuard speeds and stability with new Rust-based engine    This gift-wrapping robot is quite funny, actually    HPE tells customers to patch OneView immediately as top-level security flaw spotted    Federal judge blocks Louisiana’s social media age verification law – here's why    'We put the most pressure on ourselves' — Tomb Raider studio head on remaking one of the most iconic games of all time    LATEST ARTICLES

1. 1Gemini 3 Flash is smart — but when it doesn’t know, it makes stuff up anyway
2. 2Watch out, Nvidia - Qualcomm acquires Alphawave Semi in latest addition to its AI data center push
3. 3TechRadar Gaming's favorite gaming devices of 2025: personal picks from all the year's gear
4. 4Large External SSDs are now cheaper than internal ones as 4TB SATA SSD face extinction due to negligible price difference
5. 5Arm sheds billions in market capitalization after Qualcomm hints at RISC-V adoption with Ventara Micro acquisition