PoC Exploit Released for HPE OneView R Vulnerability

Hey, heads up for anyone using HPE OneView R Vulnerability in the platform. You know, HPE OneView, that popular IT infrastructure management system so many businesses rely on. HPE themselves have already released an advisory on this, so it’s a big deal.

The flaw, tracked as CVE-2025-37164, carries a maximum CVSS score of 10.0, indicating immediate danger to enterprise environments.

The vulnerability allows remote attackers to execute malicious code on affected systems without needing a password or any form of authentication.

A valid Metasploit module has already been published, making it easy for threat actors to weaponize this flaw.

Technical Breakdown

The issue lies within the ID-Pools REST API endpoint of the HPE OneView software.

Specifically, the vulnerability exists in how the application handles the executeCommand parameter. The code explicitly marks the authentication header as “not required.”

This oversight allows an attacker to send a simple JSON command, such as opening a reverse shell, which the server then executes with high privileges.

While HPE’s advisory states that all versions before 11.0 are affected.

According to Rapid7’s analysis, the application accepts user input via a specific API request (PUT /rest/id-pools/executeCommand). However, it fails to verify whether the user is authorized.

Researchers found that the vulnerable “id-pools” feature is primarily active in HPE OneView for HPE Synergy and specific versions of HPE OneView for VMs (Branch 6.x).

HPE has released a hotfix that patches the flaw by blocking access to the vulnerable URL path.

Given the release of public exploit code and the high privileges associated with OneView management consoles, administrators are urged to patch immediately.

Verify your OneView version immediately and apply the vendor-supplied hotfix to prevent unauthorized access to your physical and virtual infrastructure.