好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。首先,我得仔细阅读文章内容,抓住关键信息。 文章主要讲的是美国网络安全和基础设施安全局(CISA)警告惠普企业(HPE)的OneView软件存在一个最高级别的漏洞CVE-2025-37164,这个漏洞已经被用于攻击。这个漏洞影响所有版本低于v11.00的OneView软件,允许未认证的攻击者通过低复杂度的代码注入攻击获得远程代码执行权限。HPE已经在12月中旬发布了安全补丁,并建议用户尽快升级到v11.00或更高版本。CISA还要求联邦机构在三周内修复系统,并鼓励私营部门也采取行动。 接下来,我需要把这些信息浓缩到100字以内,确保涵盖主要点:漏洞名称、影响范围、攻击方式、修复建议以及CISA的要求。同时,避免使用“文章内容总结”之类的开头,直接描述即可。 可能的结构是:先说明CISA警告的内容,然后指出漏洞的影响和修复措施,最后提到CISA的要求。这样既简洁又全面。 现在试着组织语言: “美国网络安全机构警告惠普企业OneView软件存在最高级别漏洞CVE-2025-37164,该漏洞已被用于攻击。此漏洞影响所有版本低于v11.00的OneView软件,允许未认证攻击者通过低复杂度代码注入攻击获得远程代码执行权限。惠普已发布安全补丁,并建议用户尽快升级到v11.00或更高版本。CISA要求联邦机构在三周内修复系统,并鼓励私营部门也采取行动。” 检查一下字数是否在限制内,并确保没有遗漏关键信息。 </think> 美国网络安全机构警告惠普企业OneView软件存在最高级别漏洞CVE-2025-37164,该漏洞已被用于攻击。此漏洞影响所有版本低于v11.00的OneView软件,允许未认证攻击者通过低复杂度代码注入攻击获得远程代码执行权限。惠普已发布安全补丁,并建议用户尽快升级到v11.00或更高版本。CISA要求联邦机构在三周内修复系统,并鼓励私营部门也采取行动。 2026-1-8 08:0:19 Author: www.bleepingcomputer.com(查看原文) 阅读量:7 收藏
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has flagged a maximum-severity HPE OneView vulnerability as actively exploited in attacks.
HPE's OneView infrastructure management software helps IT admins automate the management of storage, servers, and networking devices from a centralized interface.
Tracked as CVE-2025-37164, this critical security flaw was reported by Vietnamese security researcher Nguyen Quoc Khanh (brocked200) to HPE, which released security patches in mid-December.
CVE-2025-37164 affects all OneView versions released before v11.00 and can be exploited by unauthenticated threat actors through low-complexity code-injection attacks to gain remote code execution on unpatched systems.
"A potential security vulnerability has been identified in Hewlett Packard Enterprise OneView Software. This vulnerability could be exploited, allowing a remote unauthenticated user to perform remote code execution," HPE warned on December 16.
There are no workarounds or mitigations for CVE-2025-37164, so HPE advised customers to upgrade to OneView version 11.00 or later (available through HPE's Software Center) as soon as possible.
CISA has also added the vulnerability to its catalog of flaws exploited in the wild, giving Federal Civilian Executive Branch (FCEB) agencies three weeks to secure their systems by January 28th, as mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021.
Even though BOD 22-01 targets only federal agencies, CISA encouraged all organizations, including those in the private sector, to patch their devices against this actively exploited flaw as soon as possible.
"Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable," CISA warned on Wednesday.
"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," it added.
In July, HPE also warned of hardcoded credentials in Aruba Instant On Access Points that could enable attackers to bypass standard device authentication. One month earlier, it patched eight vulnerabilities in its StoreOnce disk-based backup and deduplication solution, including three remote code execution flaws and a critical-severity authentication bypass.
HPE has reported revenues of $30.1 billion in 2024 and has over 61,000 employees worldwide. It provides services and products to over 55,000 organizations worldwide, including 90% of Fortune 500 companies.
7 Security Best Practices for MCP
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
如有侵权请联系:admin#unsafe.sh