Critical HPE bug exploited: Backdoor, or bad security testing?
Just an undocumented utility API exposed on a public management port without an active session requirement giving an attacker access to all your servers then?
A critical pre-auth RCE bug in HPE’s IT infrastructure management software OneView – allocated CVE-2025-37164 – is now being exploited in the wild.
The vulnerability stems from the fact that HPE left an undocumented utility API exposed on a public management port without an active session requirement. Exploitation gives a successful attacker “god mode” powers.
Is this CVSS 10 bug a backdoor or a balls-up? Read on…