By Ionut Arghire
Publication Date: 2026-01-08 11:09:00
The US cybersecurity agency CISA warned on Wednesday that a critical vulnerability in Hewlett Packard Enterprise’s (HPE) OneView product has been exploited in attacks.
Registered as CVE-2025-37164 (CVSS score of 10/10), the security flaw was revealed on December 17, 2025, when HPE released revisions for it.
HPE credited Nguyen Quoc Khanh for reporting the bug, but refrained from sharing technical information.
“This vulnerability could be exploited, allowing an unauthenticated remote user to perform remote code execution,” HPE said.
According to cybersecurity company Rapid7, the issue likely affects a specific REST API endpoint that can be accessed without authentication.
On Wednesday, CISA added the flaw to its Known Exploited Vulnerabilities (K.E.V.) catalogue, warning that it has been exploited in the wild.
“Hewlett Packard Enterprise OneView contains a code injection vulnerability that allows remote control…
