CISA Adds Actively Exploited HPE OneView RCE Flaw (CVE-2025-37164) to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-37164 to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation of a critical remote code execution vulnerability in HPE OneView. With a maximum CVSS score of 10.0, this vulnerability poses an immediate and severe risk to organizations using HPE OneView for server infrastructure management. HPE OneView is a centralized platform for monitoring and configuring server hardware environments. The vulnerability allows attackers to execute arbitrary code on affected systems. CISA has set January 28, 2025 as the deadline for organizations to apply vendor-provided patches. Technically, remote code execution vulnerabilities with CVSS 10.0 ratings represent the most critical class of software flaws. In enterprise contexts, HPE OneView typically manages essential server infrastructure, making successful exploitation particularly impactful. Attackers could leverage this vulnerability to gain control over critical systems, leading to data breaches, service disruptions, or further network compromise. For cybersecurity teams, immediate action is required. First, inventory all HPE OneView installations within the enterprise. Apply the latest security patches from HPE without delay. Given the active exploitation confirmed by CISA's KEV listing, organizations should treat this as a critical priority. Where patching cannot be accomplished immediately, implement network segmentation to isolate HPE OneView systems and restrict access to only essential personnel. The inclusion in CISA's KEV catalog means this vulnerability is being used in real-world attacks, not merely theoretical scenarios. While CISA directives are binding for U.S. federal agencies, all organizations using HPE OneView should prioritize remediation. This vulnerability underscores the importance of timely patching for infrastructure management tools, which often have extensive privileges within enterprise networks.