The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a maximum-severity HPE OneView vulnerability as actively exploited in attacks.

HPE’s OneView infrastructure management software helps IT admins automate the management of storage, servers, and networking devices from a centralized interface.

Tracked as CVE-2025-37164, this critical security flaw was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200) to HPE, which released security patches in mid-December.

CVE-2025-37164 affects all OneView versions released before v11.00 and can be exploited by unauthenticated threat actors through low-complexity code-injection attacks to gain remote code execution on unpatched systems.

“A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution,” HPE warned on December 16.

There are no workarounds or mitigations for CVE-2025-37164, so HPE advised customers to upgrade to OneView version 11.00 or later (available through HPE’s Software Center) as soon as possible.

CISA has also added the vulnerability to its catalog of flaws exploited in the wild, giving Federal Civilian Executive Branch (FCEB) agencies three weeks to secure their systems by January 28th, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.

Even though BOD 22-01 targets only federal agencies, CISA encouraged all organizations, including those in the private sector, to patch their devices against this actively exploited flaw as soon as possible.

“Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable,” CISA warned on Wednesday.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” it added.

In July, HPE also warned of hardcoded credentials in Aruba Instant On Access Points that could enable attackers to bypass standard device authentication. One month earlier, it patched eight vulnerabilities in its StoreOnce disk-based backup and deduplication solution, including three remote code execution flaws and a critical-severity authentication bypass.

HPE has reported revenues of $30.1 billion in 2024 and has over 61,000 employees worldwide. It provides services and products to over 55,000 organizations worldwide, including 90% of Fortune 500 companies.