Overview
- HPE OneView CVE-2025-37164 carries a CVSS 10.0 rating and allows unauthenticated remote code execution across all releases prior to version 11.00.
- HPE says there are no workarounds and instructs customers to upgrade to OneView 11.00 or later, with hotfixes available for certain older versions.
- The OneView flaw was reported by researcher Nguyen Quoc Khanh, patched by HPE in mid-December, and a public proof-of-concept was reported on December 23, increasing exploitation risk.
- CISA’s KEV update also lists Microsoft Office CVE-2009-0556, a PowerPoint memory corruption code-injection bug that enables remote code execution in legacy versions.
- CISA cites evidence of active exploitation and urges all organizations to remediate promptly, while public details about the scope and actors behind current attacks remain limited.