By Steve Zurier
Publication Date: 2026-01-08 19:43:00
The US Cybersecurity and Infrastructure Security Agency (CISA) placed a maximum severity bug in HPE OneView in its Known Exploited Vulnerabilities (KEV) catalog on January 7. HPE warned December 16 what equipment should apply a security patch to HPE OneView to repair the defect, CVE-2025-37164and added on January 7 that teams should upgrade to OneView version 11.00 or later. Now that the flaw has been actively exploited in the wild following Rapid7’s release of proof of concept code, Security professionals said teams should consider this a “patch now” time because HPE OneView operates as the orchestration layer for hundreds, if not thousands, of large enterprises with more than 10,000 users. “When CISA adds something to the KEV catalog, it means someone is actively using this in the wild,” said Doug McKee, director of vulnerability intelligence at Rapid 7. “Once public exploit code exists, the barrier to entry drops dramatically, and we’ve seen time and time again how quickly they become…
