CVE-2025-37164

What is HPE OneView?

HPE OneView is an infrastructure management platform for Hewlett Packard Enterprise's ProLiant server and HPE Synergy converged infrastructure environments. It provides a unified management console for servers, storage, networking, and virtualization across data centers, enabling IT administrators to provision and manage infrastructure as code. Because OneView manages physical infrastructure — servers, blades, switches — with privileged access to firmware and out-of-band management interfaces, compromising it gives an attacker the ability to modify server configurations, install malicious firmware, disrupt infrastructure, and pivot to any managed system.

Overview

CVE-2025-37164 is a maximum-severity code injection vulnerability (CWE-94, CVSS 10.0) in HPE OneView. An unauthenticated remote attacker can send a crafted request to the /rest/id-pools/executeCommand REST API endpoint, which accepts and executes arbitrary commands without any authentication or authorization check. The CVSS Scope:Changed (S:C) rating reflects that code execution on the OneView management server reaches the underlying OS and all managed infrastructure. The vulnerability was actively exploited by the RondoDox botnet, which launched over 40,000 attack attempts in a single 4-hour window in January 2026.

Affected Versions

HPE provided two remediation paths: upgrade to OneView 11.0, or apply an emergency hotfix that blocks the vulnerable endpoint at the web server layer (without full upgrade).

Technical Details

The vulnerability (CWE-94: Code Injection) is in the /rest/id-pools/executeCommand REST API endpoint in HPE OneView. This endpoint was designed for internal management automation but was exposed without authentication or authorization enforcement. User-supplied input in the request body is passed directly to the underlying OS runtime, allowing an attacker to inject arbitrary commands that execute with full server privileges. No session, token, or credentials of any kind are required — the endpoint is accessible to any unauthenticated network client that can reach the OneView management interface.

Discovery

Discovered by security researcher Nguyen Quoc Khanh, who reported it to HPE.

Exploitation Context

Confirmed active exploitation beginning January 2026. Check Point Research identified a large-scale automated campaign by the RondoDox botnet, which logged over 40,000 attack attempts against HPE OneView instances between 05:45 and 09:20 UTC on a single day in January 2026 — a sustained 4-hour attack wave. The botnet was fingerprinted by a distinctive user-agent string and downloaded RondoDox malware from attacker-controlled hosts upon successful exploitation. Targeted sectors: government, financial services, industrial manufacturing. Highest attack volumes in the US, Australia, France, Germany, and Austria. CISA added CVE-2025-37164 to the KEV catalog on 7 January 2026 with a 21-day federal deadline.

Remediation

1. Upgrade HPE OneView to version 11.0 immediately — this is the complete fix.
2. Apply the emergency hotfix if upgrade is not immediately feasible — the hotfix blocks access to the vulnerable /rest/id-pools/executeCommand endpoint at the web server layer.
3. Restrict OneView management interface access: apply firewall rules to limit HTTPS access to the OneView management port to trusted administrative IP ranges only. The management interface should never be internet-accessible.
4. Review OneView audit logs for unexpected API calls to /rest/id-pools/executeCommand from external IP addresses, particularly before December 2025.
5. Check managed infrastructure for unauthorized configuration changes — a compromised OneView server may have been used to modify server firmware, BIOS settings, or boot configurations.
6. Rotate OneView administrator credentials and any API tokens used by integrations.