HPE Patches Critical Flaw in IT Infrastructure Management Software

Hewlett Packard Enterprise (HPE) has released urgent security patches to address a critical remote code execution (RCE) vulnerability in its OneView IT infrastructure management platform. The flaw, tracked as CVE-2025-37164 and carrying a maximum CVSS score of 10, could allow unauthenticated attackers to execute arbitrary code on affected systems.

HPE has not reported any active exploitation of the vulnerability, but it strongly urges users to update immediately to the latest patched versions to mitigate potential risks. The issue affects all OneView releases up to version 10.20, with hotfixes available for both OneView users and HPE Synergy Composer reimages. Users on version 6.60.xx are advised to first upgrade to version 7.00 before applying the patch.

According to Rapid7, the vulnerability exploits a specific REST API endpoint—/rest/id-pools/executeCommand—which is accessible without authentication. Applying the hotfix introduces a new HTTP rule to the appliance’s web server, blocking unauthorized access to this endpoint and preventing potential remote code execution. HPE credited Nguyen Quoc Khanh for reporting the flaw but did not release further technical details.

Additional Telco Service Activator Vulnerabilities Patched
HPE also addressed three security defects in its Telco Service Activator (TSA) service provisioning and activation software. The flaws, tracked as CVE-2025-49146, CVE-2025-55163, and CVE-2025-7962, impact dependencies including the PostgreSQL JDBC driver (PgJDBC), the Netty framework, and Jakarta Mail.

Successful exploitation of these vulnerabilities could result in authentication bypass, denial-of-service (DoS), or Carriage Return Line Feed (CRLF) injection attacks. All TSA versions up to 10.3.2 are affected, with patches included in version 10.3.3. HPE has not reported any instances of these vulnerabilities being exploited in the wild.

Security Recommendations
HPE customers are advised to:

• Apply the OneView hotfix immediately.
• Upgrade affected Telco Service Activator systems to version 10.3.3.
• Review internal access controls and monitor for unusual activity.

These updates underscore the importance of timely patching in IT infrastructure management platforms, which are high-value targets for attackers due to their broad access to enterprise environments.