January 14, 2026 A maximum-severity vulnerability in Hewlett-Packard Enterprise’s OneView management software is now being actively exploited. This has prompted U.S. cyber authorities to urge organizations running the platform to patch immediately.
On Wednesday, the Cybersecurity and Infrastructure Security Agency added the vulnerability — tracked as CVE-2025-37164 — to its Known Exploited Vulnerabilities catalog, signalling confirmed malicious activity in the wild. The bug carries the maximum possible CVSS score of 10 and allows unauthenticated remote code execution against OneView, HPE’s software-defined platform used to centrally manage servers, storage, networking and firmware across enterprise environments.
The vulnerability was first disclosed by HPE on December 17, alongside a hotfix covering OneView versions 5.20 through 10.20. At the time, security researchers warned the flaw posed an unusually high risk because of where OneView sits inside corporate networks.
“The reason this vulnerability has been assigned a maximum severity is because of what the software actually does,” said Douglas McKee, director of vulnerability intelligence at Rapid7. If attackers gain code execution inside OneView, he warned, they effectively inherit administrator-level control over vast portions of an organisation’s infrastructure. “That’s a very different blast radius than a typical web app bug,” he added.
Despite its addition to the KEV catalog, details about real-world exploitation remain limited. HPE has not publicly confirmed seeing attacks against customers, and researchers say visibility into exploitation is murky.
CISA does not typically add flaws to its KEV list without evidence of active exploitation, but neither the agency nor HPE has disclosed who observed the attacks or where they were detected.
Rapid7 says it has not independently seen exploitation, but stresses that the architecture of management platforms like OneView makes them especially dangerous when compromised. In a recent blog post, the firm warned that such systems are often deeply embedded, broadly trusted and lightly monitored. In the firm’s words: “Management platforms are often deployed deep inside the network with broad privileges and minimal monitoring because they’re ‘supposed’ to be trusted. When an unauthenticated RCE shows up in that layer, defenders need to treat it as an assumed-breach scenario, prioritize patching immediately, and review access paths and segmentation.”
