CISA Tags Max Severity HPE OneView Flaw as Actively Exploited

HPE OneView is a cornerstone for automating storage, server, and networking management across large‑scale IT environments. The newly disclosed CVE‑2025‑37164 flaw exploits a low‑complexity code‑injection path, granting attackers full remote code execution on any unpatched instance. Because the vulnerability spans all OneView releases before version 11.00, organizations that have not applied the December security update face immediate exposure. The absence of mitigations forces a binary decision: upgrade to the patched version or risk a compromise that could cascade through critical infrastructure.

CISA’s decision to label the flaw as actively exploited amplifies its urgency. Under Binding Operational Directive 22‑01, federal civilian agencies have a three‑week window—until January 28—to remediate, reflecting the government’s broader strategy of hardening the federal enterprise against nation‑state and criminal actors. While the directive technically applies only to federal entities, CISA’s advisory explicitly extends the recommendation to private‑sector operators, underscoring the shared risk landscape. Enterprises that delay patching not only jeopardize compliance but also expose themselves to potential supply‑chain attacks that leverage compromised management consoles.

HPE’s broader security posture adds context to the episode. The company reported $30.1 billion in revenue for 2024 and supports over 55,000 customers, including 90 % of Fortune 500 firms, making any vulnerability in its flagship products a high‑impact event. Recent disclosures—such as hard‑coded credentials in Aruba Instant On APs and multiple RCE bugs in StoreOnce—demonstrate a pattern of rapid vulnerability discovery and remediation. For organizations reliant on HPE’s ecosystem, maintaining an aggressive patch cadence is no longer optional; it is a strategic imperative to safeguard operational continuity and protect sensitive data.