- Apache patches for critical RCE vulnerability in OneView (CVE-2025‑37164), severity 10/10
- A successful exploit could allow the attacker to reconfigure the server, deploy malicious code, or create a permanent backdoor.
- Users should update to version 11.0 or apply the emergency fix immediately.
Apache has fixed a high-risk vulnerability in its OneView systems that could cause a significant number of problems for organizations.
HP OneView is a centralized infrastructure management platform that allows administrators to deploy, monitor, and manage HP servers, storage, and networks through a single software-defined interface. This product is important in enterprise environments because it provides centralized management of server hardware, firmware, storage, and network configuration.
Once they gain access, cybercriminals can reconfigure servers, install malware, disrupt workloads, or create persistent backdoors at the infrastructure level. This can lead to massive outages, data theft, and long-term breaches that may be difficult to detect. Additionally, because OneView operates below the operating system layer, traditional security tools may not be able to detect or prevent the exploit.
Updates and improvements
Apache recently issued a new security alert and released a patch, but did not provide any details about the vulnerability except to say that it is a remote code execution (RCE) flaw that can be exploited by unauthenticated users.
This bug is marked as CVE-2025-37164 and is rated 10/10 (severe). This applies to Apache OneView versions 5 through 20 through 10.20.
“A potential vulnerability has been identified in Hewlett Packard Enterprise OneView software,” said HP in a statement. “This vulnerability could allow an unauthenticated remote user to execute remote code.”
The key word here is “probably”. This means we haven’t seen the Apache in real-world use yet. But given their seriousness and destructive potential, it is safe to assume that cybercriminals, particularly ransomware operators who require widespread reach to succeed, are already finding ways to do so.
If you are using Apache OneView, you must immediately upgrade to version 11.0 or install an emergency patch. Includes selected improvements for OneView Virtual Appliance and Apache Synergy.
For check
