The US cybersecurity agency CISA on Wednesday warned that a critical-severity vulnerability in the OneView product from Hewlett Packard Enterprise (HPE) has been exploited in attacks.
Tracked as CVE-2025-37164 (CVSS score of 10/10), the security defect was disclosed on December 17, 2025, when HPE released hotfixes for it.
HPE credited Nguyen Quoc Khanh for reporting the bug but refrained from sharing technical information.
“This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution,” HPE said.
According to cybersecurity firm Rapid7, the issue likely impacts a specific REST API endpoint reachable without authentication.
On Wednesday, CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, warning that it has been exploited in the wild.
“Hewlett Packard Enterprise OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution,” the cybersecurity agency notes.
CISA has not shared details on the observed attacks.
On Wednesday, the agency also added to the KEV list a code injection defect in Microsoft Office that was disclosed in 2009.
Tracked as CVE-2009-0556, the bug was exploited in espionage campaigns against the Uyghur ethnic group in China over a decade ago.
Per Binding Operational Directive (BOD) 22-01, federal agencies have three weeks to identify vulnerable HPE OneView and Microsoft Office instances in their environments and patch them.
While BOD 22-01 only applies to federal agencies, all organizations are advised to review CISA’s KEV catalog and apply mitigations and patches for the vulnerabilities in it.
Related: Hackers Exploit Zero-Day in Discontinued D-Link Devices
Related: Fresh MongoDB Vulnerability Exploited in Attacks
Related: WatchGuard Patches Firebox Zero-Day Exploited in the Wild
Related: Vulnerability in Totolink Range Extender Allows Device Takeover
