IT administrators managing HPE infrastructure just got an urgent wakeup call. A vulnerability in HPE OneView—the centralized dashboard that controls servers, storage, and networking equipment—has earned the rare distinction of a perfect 10.0 CVSS severity score, meaning attackers can completely compromise systems with minimal effort.
The flaw, tracked as CVE-2025-37164, allows remote code execution without any authentication whatsoever. In practical terms, an attacker doesn't need credentials, stolen passwords, or insider access. They simply need network visibility to the vulnerable system.
Vietnamese security researcher Nguyen Quoc Khanh discovered and responsibly disclosed the vulnerability to HPE's security team. What makes this particularly alarming is the widespread deployment of OneView across enterprise environments—HPE counts more than 55,000 organizations as customers, including 90% of Fortune 500 companies.
"This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution," HPE confirmed in its security bulletin released this week. The company hasn't indicated whether attackers have weaponized the flaw yet, but the severity rating suggests exploitation would be straightforward for anyone with moderate technical skills.
Every version of OneView prior to v11.00 is vulnerable. HPE has released patches through multiple channels: organizations can upgrade to version 11.00 directly, or apply security hotfixes for versions 5.20 through 10.20. There's a catch though—admins upgrading from version 6.60 or later to 7.00 must reapply the hotfix, as must anyone performing HPE Synergy Composer reimaging operations.
The timing adds urgency to an already critical situation. HPE has dealt with several high-severity vulnerabilities this year, including eight flaws in its StoreOnce backup solution and hardcoded credentials in Aruba access points. This pattern suggests infrastructure management tools have become prime targets.
For organizations running OneView, there's no middle ground here. HPE offers no workarounds or temporary mitigations—patching is the only defense against a vulnerability that essentially hands over the keys to your entire IT infrastructure.