CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical RCE flaw in HPE OneView software actively exploited

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

Hewlett Packard Enterprise (HPE) has patched a maximum-severity remote code execution (RCE) vulnerability (CVE-2025-37164) in its OneView software, which has a CVSS score of 10.0. The flaw affects all versions before v11.00 and can be exploited by unauthenticated attackers in low-complexity attacks. The vulnerability was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200). HPE advises immediate patching as there are no workarounds or mitigations available. HPE has not confirmed whether the vulnerability has been exploited in attacks. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged the flaw as actively exploited in attacks and has given Federal Civilian Executive Branch (FCEB) agencies three weeks to secure their systems by January 28th. CISA encourages all organizations, including private sector, to patch their devices against this actively exploited flaw as soon as possible. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface. The hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations. Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2.

Timeline

  1. 08.01.2026 09:45 1 articles · 23h ago

    CISA flags HPE OneView flaw as actively exploited

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged the maximum-severity HPE OneView vulnerability (CVE-2025-37164) as actively exploited in attacks. CISA has given Federal Civilian Executive Branch (FCEB) agencies three weeks to secure their systems by January 28th and encourages all organizations to patch their devices against this actively exploited flaw as soon as possible.

    Show sources
    Open in new tab
  2. 18.12.2025 13:35 3 articles · 21d ago

    HPE patches critical RCE flaw in OneView software

    HPE has patched a maximum-severity RCE vulnerability (CVE-2025-37164) in its OneView software. The flaw affects all versions before v11.00 and can be exploited by unauthenticated attackers in low-complexity attacks. HPE advises immediate patching as there are no workarounds or mitigations available. The vulnerability was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200). The vulnerability has a CVSS score of 10.0. HPE OneView is an IT infrastructure management software that streamlines IT operations and controls all systems via a centralized dashboard interface. The hotfix must be reapplied after upgrading from version 6.60 or later to version 7.00.00, or after any HPE Synergy Composer reimaging operations. Separate hotfixes are available for the OneView virtual appliance and Synergy Composer2.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

CISA Adds Actively Exploited Microsoft Office and HPE OneView Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting Microsoft Office and HPE OneView to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation. The vulnerabilities include CVE-2009-0556 in Microsoft Office PowerPoint and CVE-2025-37164 in HPE OneView. The flaws allow for remote code execution and memory corruption. CISA urges federal agencies to apply patches by January 28, 2026, to mitigate risks. A proof-of-concept (PoC) exploit for CVE-2025-37164 has been publicly released, increasing the risk of exploitation.

Open in new tab

Multiple Critical n8n Workflow Automation Vulnerabilities (CVE-2025-68613, CVE-2025-68668, CVE-2026-21877, CVE-2026-21858)

Multiple critical vulnerabilities have been disclosed in the n8n workflow automation platform. The most recent flaw, tracked as CVE-2026-21858 (CVSS 10.0), allows unauthenticated remote attackers to gain complete control over susceptible instances. This vulnerability affects all versions prior to and including 1.65.0 and has been patched in version 1.121.0. Additionally, three other critical vulnerabilities (CVE-2025-68613, CVE-2025-68668, and CVE-2026-21877) have been disclosed, affecting various versions of n8n. Over 103,000 instances are potentially vulnerable, with a significant number located in the U.S., Germany, France, Brazil, and Singapore. Users are advised to upgrade to the latest patched versions or implement mitigations such as disabling the Git node and limiting access for untrusted users. The Ni8mare vulnerability (CVE-2026-21858) affects over 100,000 servers potentially exposed. The vulnerability could enable attackers to access API credentials, OAuth tokens, database connections, and cloud storage. The vulnerability is related to the webhooks that start workflows in n8n. The platform parses incoming data based on the 'content-type' header in a webhook. When a request is 'multipart/form-data', the platform uses a special file upload parser (Formidable) which stores the files in temporary locations. For all other content types, a regular parser is used. The file upload parser wraps Formidable's parse() function, populating req.body.files with the output from Formidable. If a threat actor changes the content type to something like application/json, the n8n middleware would call the regular parser instead of the special file upload parser. This means req.body.files wouldn't be populated, allowing attackers to control the file metadata and file path. The vulnerability was reported on November 9 and fixed nine days later.

Open in new tab

Oracle Identity Manager RCE Flaw CVE-2025-61757 Exploited in Attacks

CISA has warned that a pre-authentication remote code execution (RCE) flaw in Oracle Identity Manager, tracked as CVE-2025-61757, is being actively exploited in attacks. The vulnerability stems from an authentication bypass in the REST APIs, allowing attackers to execute malicious code. The flaw was patched by Oracle in October 2025, but evidence suggests it may have been exploited as early as August 30. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch it by December 12. Researchers from Searchlight Cyber discovered the flaw, describing it as trivial and easily exploitable. Multiple IP addresses have been observed scanning for the vulnerability, all using the same user agent. The flaw involves gaining access to a Groovy script compilation endpoint to execute malicious code. The vulnerability affects versions 12.2.1.4.0 and 14.1.2.1.0 of Oracle Identity Manager. Attackers can manipulate authentication flows, escalate privileges, and move laterally across an organization's core systems. The IP addresses 89.238.132[.]76, 185.245.82[.]81, and 138.199.29[.]153 were observed scanning for the vulnerability. The flaw was revealed by Searchlight Cyber on November 20 and added to CISA's KEV catalog on November 21. The vulnerability lies in the REST WebServices component of Oracle Identity Manager and has a CVSS severity score of 9.8. The flaw was discovered during an investigation of a breach affecting Oracle Cloud's login service, where a threat actor exploited an older vulnerability, CVE-2021-35587.

Open in new tab

Active Exploitation of Critical Microsoft WSUS Flaw

A critical vulnerability in Microsoft Windows Server Update Service (WSUS), CVE-2025-59287, is being actively exploited in the wild. This flaw, with a CVSS score of 9.8, allows attackers to drop malicious payloads and execute arbitrary commands on infected hosts. The vulnerability affects WSUS versions 3.32.x and was discovered by Eye Security and Huntress. The Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. government agencies to patch the flaw, which was added to the Known Exploited Vulnerabilities catalog. Organizations using WSUS are advised to apply the out-of-band security updates provided by Microsoft to mitigate the risk of exploitation. The flaw was originally patched by Microsoft as part of its Patch Tuesday updates, but attackers have since weaponized it to deploy .NET executables and Base64-encoded PowerShell scripts. Shadowserver is tracking over 2,800 WSUS instances with default ports exposed online. The vulnerability is a deserialization of untrusted data flaw that allows unauthenticated attackers to achieve remote code execution with system privileges by sending malicious encrypted cookies to the GetCookie() endpoint. A compromised WSUS server could potentially be used to distribute malicious updates to the entire network of client computers, making it particularly dangerous for large enterprises. Huntress advised isolating network access to WSUS and blocking inbound traffic to TCP ports 8530 and 8531 as remediation steps. The out-of-band (OOB) security update KB5070881 for CVE-2025-59287 broke hotpatching on some Windows Server 2025 devices. Microsoft has released a new update, KB5070893, to address the issue without disrupting hotpatching. Administrators are advised to install this update to maintain hotpatching functionality.

Open in new tab

Unauthenticated access vulnerability in Oracle E-Business Suite Configurator

A critical vulnerability in Oracle E-Business Suite (EBS) allows unauthenticated attackers to access sensitive data via HTTP. The flaw, CVE-2025-61884, affects versions 12.2.3 through 12.2.14 and has a CVSS score of 7.5. CISA has confirmed that the vulnerability is being exploited in attacks and has added it to its Known Exploited Vulnerabilities catalog. Oracle has issued an emergency security update and patch, but exploitation in the wild has been reported. The vulnerability is in the Runtime UI component and could lead to unauthorized access to critical data. Oracle has silently fixed the vulnerability after it was actively exploited and a proof-of-concept exploit was leaked by the ShinyHunters extortion group. This development follows recent disclosures of zero-day exploitation in EBS software, attributed to a group with ties to the Clop ransomware group. The Clop group has been involved in major data theft campaigns targeting zero-days in Accellion FTA, GoAnywhere MFT, Cleo, and MOVEit Transfer.

Open in new tab