The US cybersecurity agency CISA on Wednesday warned that a critical-severity vulnerability in the OneView product from Hewlett Packard Enterprise (HPE) has been exploited in attacks.

Tracked as CVE-2025-37164 (CVSS score of 10/10), the security defect was disclosed on December 17, 2025, when HPE released hotfixes for it.

HPE credited Nguyen Quoc Khanh for reporting the bug but refrained from sharing technical information.

“This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution,” HPE said.

According to cybersecurity firm Rapid7, the issue likely impacts a specific REST API endpoint reachable without authentication.

On Wednesday, CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, warning that it has been exploited in the wild.