CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical RCE flaw in HPE OneView software actively exploited

First reported
Last updated
2 unique sources, 4 articles

Summary

Hide ▲

Hewlett Packard Enterprise (HPE) has patched a maximum-severity remote code execution (RCE) vulnerability (CVE-2025-37164) in its OneView software, which has a CVSS score of 10.0. The flaw affects all versions before v11.00 and can be exploited by unauthenticated attackers in low-complexity attacks. The vulnerability was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200). HPE advises immediate patching as there are no workarounds or mitigations available. HPE has not confirmed whether the vulnerability has been exploited in attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged the flaw as actively exploited in attacks and has given Federal Civilian Executive Branch (FCEB) agencies three weeks to secure their systems by January 28th. CISA encourages all organizations, including private sector, to patch their devices against this actively exploited flaw as soon as possible. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface. The hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations. Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2. Additionally, HPE has patched multiple security vulnerabilities in the Aruba Networking AOS-CX operating system, including a critical authentication bypass vulnerability (CVE-2026-23813) that allows unauthenticated attackers to reset admin passwords. HPE has not found publicly available exploit code or evidence of exploitation in the wild.

Timeline

  1. 08.01.2026 09:45 2 articles · 2mo ago

    CISA flags HPE OneView flaw as actively exploited

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged the maximum-severity HPE OneView vulnerability (CVE-2025-37164) as actively exploited in attacks. CISA has given Federal Civilian Executive Branch (FCEB) agencies three weeks to secure their systems by January 28th and encourages all organizations to patch their devices against this actively exploited flaw as soon as possible. The article also mentions that HPE has patched multiple security vulnerabilities in the Aruba Networking AOS-CX operating system, including a critical authentication bypass vulnerability (CVE-2026-23813) that allows unauthenticated attackers to reset admin passwords. HPE has not found publicly available exploit code or evidence of exploitation in the wild.

    Show sources
    Open in new tab
  2. 18.12.2025 13:35 3 articles · 2mo ago

    HPE patches critical RCE flaw in OneView software

    HPE has patched a maximum-severity RCE vulnerability (CVE-2025-37164) in its OneView software. The flaw affects all versions before v11.00 and can be exploited by unauthenticated attackers in low-complexity attacks. HPE advises immediate patching as there are no workarounds or mitigations available. The vulnerability was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200). The vulnerability has a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface. The hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations. Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Cisco SD-WAN Zero-Day Exploited by Highly Sophisticated Threat Actor

A critical zero-day vulnerability (CVE-2026-20127) in Cisco Catalyst SD-WAN Controller and Manager is being actively exploited by a sophisticated threat actor, tracked as UAT-8616. The flaw allows unauthenticated remote attackers to bypass authentication and gain administrative privileges. The exploitation dates back to 2023, and Cisco has credited the Australian Signals Directorate's Australian Cyber Security Centre (ASD-ACSC) for reporting the vulnerability. The vulnerability has a CVSS score of 10.0, indicating maximum severity. Cisco is actively tracking the exploitation and post-compromise activities associated with this flaw. The threat actor is described as highly sophisticated, and the exploitation has been ongoing for some time.

Open in new tab

CVE-2024-37079 in VMware vCenter Exploited in the Wild

CVE-2024-37079, a critical heap overflow flaw in VMware vCenter Server, is being actively exploited in the wild. The vulnerability, patched in June 2024, allows remote code execution via a specially crafted network packet. Broadcom confirmed the active exploitation and advised customers to apply security patches immediately. CISA added the flaw to its KEV catalog, mandating FCEB agencies to secure their systems by February 13, 2026, under BOD 22-01. There are no known workarounds or mitigations, emphasizing the urgency of applying the latest patches.

Open in new tab

SmarterMail Authentication Bypass Exploited Post-Patch

A critical authentication bypass vulnerability in SmarterMail email software (WT-2026-0001, CVE-2026-23760) has been actively exploited in the wild just two days after a patch was released. The flaw allows attackers to reset the system administrator password via a crafted HTTP request, leading to remote code execution (RCE) on the underlying operating system. The vulnerability was patched on January 15, 2026, but attackers reverse-engineered the patch to exploit it. Over 6,000 SmarterMail servers were found exposed online and likely vulnerable to attacks exploiting the flaw. Shadowserver is tracking these servers, with more than 4,200 in North America and nearly 1,000 in Asia. Macnica threat researcher Yutaka Sejiyama found over 8,550 SmarterMail instances still vulnerable. CISA added the vulnerability to its list of actively exploited vulnerabilities, ordering U.S. government agencies to secure their servers by February 16. Threat actors rapidly shared proof-of-concept exploits, offensive tools, and stolen administrator credentials related to SmarterMail vulnerabilities on underground Telegram channels and cybercrime forums. SmarterTools was breached in January 2026 after attackers exploited an unpatched SmarterMail server running on an internal VM. Ransomware operators gained initial access through SmarterMail vulnerabilities and waited before triggering encryption payloads. Over 34,000 servers were found on Shodan with indications of running SmarterMail, with 1,185 vulnerable to authentication bypass or RCE flaws. CISA added CVE-2026-24423 to the Known Exploited Vulnerabilities catalog in February 2026, confirming active ransomware exploitation.

Open in new tab

Microsoft January 2026 Patch Tuesday Addresses 3 Zero-Days, 114 Flaws

Microsoft's January 2026 Patch Tuesday addressed 114 vulnerabilities, including three zero-days: one actively exploited (CVE-2026-20805) and two publicly disclosed (CVE-2026-21265 and CVE-2023-31096). The updates covered a range of flaw types, with eight classified as 'Critical,' including remote code execution and elevation-of-privilege vulnerabilities. Additionally, Microsoft released emergency out-of-band security updates to patch a high-severity Microsoft Office zero-day vulnerability (CVE-2026-21509) exploited in attacks, affecting multiple Office versions. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-20805 and CVE-2026-21509 to its Known Exploited Vulnerabilities (KEV) catalog, mandating Federal Civilian Executive Branch (FCEB) agencies to apply the latest fixes by February 3, 2026, and February 16, 2026, respectively. The flaw was discovered by the Microsoft Threat Intelligence Center (MSTIC), the Microsoft Security Response Center (MSRC), and the Office Product Group Security Team, and affects several versions of Microsoft Office 2016, 2019, LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise.

Open in new tab

CISA Adds Actively Exploited Microsoft Office and HPE OneView Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting Microsoft Office and HPE OneView to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation. The vulnerabilities include CVE-2009-0556 in Microsoft Office PowerPoint and CVE-2025-37164 in HPE OneView. The flaws allow for remote code execution and memory corruption. CISA urges federal agencies to apply patches by January 28, 2026, to mitigate risks. A proof-of-concept (PoC) exploit for CVE-2025-37164 has been publicly released, increasing the risk of exploitation.

Open in new tab