BLUF

A critical code injection vulnerability in HPE OneView allows unauthenticated remote attackers to execute arbitrary code on the appliance, potentially compromising data center management infrastructure.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by unauthenticated remote code execution exposure in HPE OneView management appliances:

• Low-end total cost: $1M – $1.5M
  (Rapid detection, no evidence of configuration tampering, limited appliance scope)

• Typical expected range: $900,000 – $1.6M
  (Full management-plane validation, moderate operational disruption, insurance engagement)

• Upper-bound realistic scenarios: $2M – $3.5M
  (Multi-site OneView deployments, extended assurance efforts, regulatory or customer scrutiny)

Key cost driver:

Costs are driven less by immediate system downtime and more by the loss of trust in centralized infrastructure control planes. Because OneView governs server provisioning, firmware, credentials, and lifecycle automation, organizations must assume potential systemic impact and perform broad validation across environments—extending recovery timelines and increasing assurance, compliance, and governance costs well beyond initial containment.

Potential Affected Sectors

·         Data Centers

·         Cloud Service Providers

·         Enterprise IT

Potential Affected Countries

·         Global

Date of First Reported Activity

·         January 7, 2026

Date of Last Reported Activity Update

·         January 7, 2026

CVE-2025-37164

CVSS 3.1

·         (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nessus ID

·         282316

Is CVE-2025-37164 on the KEV list?

·         Yes

What is the patch by date for CVE-2025-37164?

·         January 28, 2026

URL link to patch information

·         hxxps://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US

APT Names

·         There are no specifically named APT groups named at this time.

 Criminal Organizations

·         There are no specifically named criminal organizations named at this time.

TTPs

·         T1190 Exploit Public-Facing Application

o   Attackers leverage the vulnerable REST API endpoint (/rest/id-pools/executeCommand) to gain initial access.

·         T1059 Command and Scripting Interpreter

o   Successful exploitation allows the execution of arbitrary system commands, typically as a high-privileged user.

·         T1210 Exploitation of Remote Services

o   Used to facilitate remote code execution across the network without prior authentication.

·         T1078 Valid Accounts

o   Exploitation of the management console can lead to the compromise or creation of administrative accounts for persistent "God Mode" access over the data center infrastructure.

·         T1565 Data Manipulation

o   Attackers can modify system configurations, firmware, or lifecycle management settings

IOCs

Known Technical Indicators

·         Vulnerable Endpoint the vulnerability is triggered via the REST API endpoint

o   /rest/id-pools/executeCommand.

·         Attack Vector Remote, unauthenticated HTTP requests to the aforementioned endpoint on the appliance's webserver.

·         Weakness Type CWE-94 (Improper Control of Generation of Code, or 'Code Injection')

Malware names

·         There has not been any malware associated with CVE-2025-37164 at this time.

Malware Samples

·         There has not been any malware associated with CVE-2025-37164 at this time.

Delivery Method

·         Network-based exploitation of the management interface.

References

NVD

·         hxxps://nvd.nist.gov/vuln/detail/CVE-2025-37164

Support HPE

·         hxxps://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US