Critical RCE in HPE OneView Exposes Infrastructure Control Plane

Threat summary

On 16 December 2025, Hewlett Packard Enterprise (HPE) issued an advisory urging immediate patching of a maximum severity vulnerability affecting HPE OneView versions 5.20 through 10.20. Between 17-18 December 2025, HPE released patches and emergency hotfixes forimpacted deployments, including OneView virtual appliances and HPE Synergy systems. 

The flaw, tracked as CVE202537164, enables unauthenticated remote code execution on OneView, a centralized infrastructure management platform used to control servers, firmware, storage, and networking across enterprise environments. OneView operates as a privileged control plane for hardware lifecycle management and is often deployed deep inside networks with broad administrative access and limited monitoring, increasing the operational impact of compromise. 

Researchers reported that this vulnerability is triggered through an unauthenticated REST application programming interface endpoint, /rest/id-pools/executeCommand, which is reachable without authentication. The vendor-supplied hotfix adds a new HTTP rule to block access to this endpoint. A Metasploit module is now available, indicating that exploitation is low complexity. 

The vulnerability carries a CVSS score of 10.0, the maximum rating. The worst case scenario involves an attacker gaining centralized control over server hardware, firmware, and network configurations at scale. This level of access could enable reconfiguration of infrastructure, deployment of malicious firmware, disruption of workloads, and establishment of persistent access below the operating system layer. As of the latest reporting, there is no confirmed active exploitation in the wild. 

HPE recommends upgrading to OneView version 11.0 or applying the emergency hotfixes for virtual appliance and HPE Synergy deployments. Because upgrades overwrite the mitigation, organizations may consider incorporating hotfix reapplication into their standard upgrade workflow. Segmentation of management networks, review of access paths, and verification that OneView interfaces are not exposed to untrusted networks may also be considered. Logging and monitoring for management of plane activity may be reviewed to detect unauthorized configuration changes. 

The security hotfix is not included in appliance upgrades. When upgrading from OneView 6.60.xx to 7.00.00, the upgrade process overwrites the webserver configuration files modified by the hotfix, removing the HTTP rule that blocks the vulnerable endpoint and returning the appliance to a vulnerable state. The same applies to HPE Synergy Composer reimages, which reinstall the operating environment from a clean baseline. As a result, the hotfix must be reapplied after any upgrade or reimage to maintain protection. HPE provides separate hotfix packages for the virtual appliance and for Synergy Composer. 

Insights & mitigations

Highly privileged management platforms are frequent targets for ransomware operators and other intrusion groups seeking rapid lateral movement and infrastructure-level control. Given the privileged role of OneView, organizations may review segmentation controls, access policies, and monitoring coverage for infrastructure management networks, and confirm that logging and alerting are enabled for management of plane activity. 

Field Effect MDR users will be alerted via ARO if vulnerable systems are detected in their environment. 

 Field Effect MDR provides continuous visibility into affected assets, detects attacker activity before or after exploitation, and supports rapid containment actions that limit the operational impact of a compromise involving a privileged infrastructure control plane. 

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up