Unauthenticated RCE in HPE OneView executeCommand REST API
CVE-2025-37164 is a critical code injection vulnerability in HPE OneView that allows remote unauthenticated attackers to achieve remote code execution. The issue affects HPE OneView versions prior to 11.00, including versions 5.20 through 10.20. Supporting content indicates the flaw is in the /rest/id-pools/executeCommand REST API endpoint within the id-pools functionality, where attacker-controlled input is improperly validated and passed for execution by the underlying operating system runtime. Exploitation is described as possible via an HTTP PUT request containing a malicious cmd parameter, enabling arbitrary command execution without authentication.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
Remediation
Patch, then assume compromise.
Exploits
3 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
This repository contains a Python exploit script (CVE-2025-37164.py) and a README.md. The exploit targets HPE OneView systems vulnerable to CVE-2025-37164. The script takes a target IP/hostname and a command as arguments, then sends a crafted HTTP PUT request to the '/rest/id-pools/executeCommand' endpoint on the target, attempting to execute the supplied command. The payload is a JSON object with the command to execute. The script prints the HTTP response, which may contain the output of the executed command. The README provides usage instructions and references to vulnerability details. The exploit is operational, allowing arbitrary command execution on vulnerable HPE OneView instances accessible over the network.
This repository contains a fully functional exploit for CVE-2025-37164, a critical unauthenticated remote code execution vulnerability in HPE OneView (versions prior to 9.20.00). The exploit is implemented in a single Python script (CVE-2025-37164.py) and is accompanied by a detailed README.md. The exploit targets the /rest/id-pools/executeCommand API endpoint, which is vulnerable to command injection via the 'cmd' parameter in a JSON payload. The script supports a wide range of post-exploitation features, including arbitrary command execution, reverse shell generation (with multiple payload options), system enumeration, credential harvesting, network reconnaissance, file upload/download, and persistence mechanisms (cron jobs, SSH keys). The exploit does not require authentication and is designed for ease of use, supporting both direct command execution and interactive post-exploitation modules. The README provides comprehensive usage instructions, detection guidance, and mitigation recommendations. The main attack vector is network-based, exploiting an exposed API endpoint over HTTP(S).
This repository contains a Python proof-of-concept exploit for CVE-2025-37164, a critical unauthenticated remote code execution vulnerability in HPE OneView (versions prior to 11.0). The exploit targets the '/rest/id-pools/executeCommand' HTTP API endpoint, which improperly allows unauthenticated users to execute arbitrary system commands via a crafted PUT request. The script supports several attack modes: vulnerability checking, single command execution, interactive shell, and reverse shell (with payloads in bash, python, and perl). It can automatically detect or brute-force the correct API version required by the endpoint. The exploit is operational and can be used to gain full remote code execution on vulnerable HPE OneView instances. The repository consists of the main exploit script (CVE-2025-37164.py) and a README.md with usage instructions and vulnerability details.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
165 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A 2025 vulnerability that the report says was added to RondoDox’s exploit set in January 2026.
An unauthenticated remote code execution vulnerability in HPE OneView that has been added to CISA KEV due to confirmed exploitation in the wild.
Maximum-severity HPE OneView vulnerability allowing unauthenticated remote code execution; stated as resolved by HPE.
Critical code injection vulnerability in HPE OneView enabling unauthenticated remote code execution; a detailed proof-of-concept is publicly available.
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.