HPE OneView Code Injection Exploitation (CVE-2025-37164)

let OneViewIPs = dynamic([]);
let suspiciousProcesses = dynamic(["bash", "sh", "python", "python3", "perl", "ruby", "curl", "wget", "nc", "ncat", "socat"]);
let lookback = 24h;
union 
  (
    DeviceNetworkEvents
    | where TimeGenerated >= ago(lookback)
    | where RemotePort in (443, 80, 8080, 8443)
    | where RemoteUrl has_any ("oneview", "hpeoneview")
    | project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort, ActionType
    | extend AlertSource = "NetworkEvent"
  ),
  (
    DeviceProcessEvents
    | where TimeGenerated >= ago(lookback)
    | where InitiatingProcessFileName =~ "java" or InitiatingProcessParentFileName =~ "java"
    | where FileName in~ (suspiciousProcesses)
    | where InitiatingProcessCommandLine has_any ("oneview", "hpov", "com.hp.ov", "ImageStreamer")
    | project TimeGenerated, DeviceId, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFileName
    | extend AlertSource = "ProcessEvent"
  ),
  (
    CommonSecurityLog
    | where TimeGenerated >= ago(lookback)
    | where DeviceProduct has_any ("OneView", "HPE OneView")
    | where Activity has_any ("code injection", "script execution", "command execution", "eval", "exec")
    | project TimeGenerated, DeviceVendor, DeviceProduct, SourceIP, DestinationIP, Activity, Message
    | extend AlertSource = "CommonSecurityLog"
  )
| summarize Count=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by AlertSource, DeviceName, SourceIP=coalesce(RemoteIP, SourceIP)
| where Count > 0
| extend Severity = "High"
| extend CVE = "CVE-2025-37164"

index=* (sourcetype=hpe_oneview OR sourcetype=syslog OR sourcetype=wineventlog)
| eval is_oneview_related=if(match(source, "(?i)oneview") OR match(host, "(?i)oneview") OR match(_raw, "(?i)(hpe.*oneview|oneview.*hpe|com\.hp\.ov|ImageStreamer)"), 1, 0)
| where is_oneview_related=1
| eval suspicious_cmd=if(match(_raw, "(?i)(eval|exec|Runtime\.exec|ProcessBuilder|shell_exec|system\(|popen|subprocess|os\.system)"), 1, 0)
| eval child_proc_spawn=if(match(_raw, "(?i)(bash|/bin/sh|/bin/sh|python|perl|ruby|curl|wget|nc |ncat|socat)") AND match(_raw, "(?i)(java|tomcat|jvm)"), 1, 0)
| eval inbound_exploit=if(match(_raw, "(?i)(POST|PUT).*(/rest/|/api/v1/|/api/v2/).*script") OR match(_raw, "(?i)code.?injection"), 1, 0)
| where suspicious_cmd=1 OR child_proc_spawn=1 OR inbound_exploit=1
| eval risk_score=case(
    suspicious_cmd=1 AND child_proc_spawn=1, 90,
    child_proc_spawn=1, 75,
    inbound_exploit=1, 80,
    suspicious_cmd=1, 60,
    true(), 50
  )
| eval cve="CVE-2025-37164"
| stats count as event_count, min(_time) as first_seen, max(_time) as last_seen, max(risk_score) as max_risk, values(suspicious_cmd) as suspicious_cmds by host, src_ip, cve
| where event_count > 0
| sort - max_risk
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")

sequence by host.name with maxspan=5m
  [process where event.type == "start"
    and process.name in ("java", "catalina.sh", "startup.sh")
    and process.command_line : ("*oneview*", "*hpov*", "*com.hp.ov*")]
  [process where event.type == "start"
    and process.parent.name in ("java", "sh", "bash")
    and process.name in ("bash", "sh", "python", "python3", "perl", "ruby", "curl", "wget", "nc", "ncat", "socat")]

OR

any where event.category == "network"
  and network.direction == "ingress"
  and destination.port in (443, 80, 8080, 8443)
  and http.request.method in ("POST", "PUT")
  and url.path : ("/rest/*", "/api/v*")
  and http.request.body.content : ("*eval(*", "*exec(*", "*Runtime.exec*", "*ProcessBuilder*", "*script*inject*")

SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
  sourceip,
  destinationip,
  destinationport,
  username,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS category_name,
  "devicetype",
  UTF8(payload) AS raw_payload,
  logsourceid
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%HPE%'
  OR LOGSOURCETYPENAME(devicetype) ILIKE '%OneView%'
  OR UTF8(payload) ILIKE '%oneview%'
  OR UTF8(payload) ILIKE '%hpe.ov%'
  OR UTF8(payload) ILIKE '%ImageStreamer%'
AND (
  UTF8(payload) ILIKE '%eval(%'
  OR UTF8(payload) ILIKE '%exec(%'
  OR UTF8(payload) ILIKE '%Runtime.exec%'
  OR UTF8(payload) ILIKE '%ProcessBuilder%'
  OR UTF8(payload) ILIKE '%shell_exec%'
  OR UTF8(payload) ILIKE '%.system(%'
  OR (UTF8(payload) ILIKE '%/bin/bash%' AND UTF8(payload) ILIKE '%java%')
  OR (UTF8(payload) ILIKE '%/bin/sh%' AND UTF8(payload) ILIKE '%tomcat%')
  OR (destinationport IN (443, 8443, 80, 8080) AND UTF8(payload) ILIKE '%script%inject%')
)
LAST 24 HOURS
ORDER BY starttime DESC

(_sourceCategory="hpe/oneview" OR _sourceCategory="infrastructure/hpe" OR "oneview" OR "hpe.ov" OR "ImageStreamer")
| where !(isNull(_raw))
| parse regex field=_raw "(?<src_ip>\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b)" nodrop
| parse regex field=_raw "(?<event_type>POST|GET|PUT|DELETE|PATCH)\s+(?<uri_path>/[^\s]+)" nodrop
| eval is_api_call = if(uri_path matches "/rest/*" or uri_path matches "/api/v*", 1, 0)
| eval has_injection = if(
    _raw matches "*eval(*" or
    _raw matches "*exec(*" or
    _raw matches "*Runtime.exec*" or
    _raw matches "*ProcessBuilder*" or
    _raw matches "*/bin/bash*" or
    _raw matches "*/bin/sh*" or
    _raw matches "*python*java*" or
    _raw matches "*curl*java*" or
    _raw matches "*wget*java*"
  , 1, 0)
| eval risk = if(has_injection == 1 and is_api_call == 1, "CRITICAL",
    if(has_injection == 1, "HIGH",
    if(is_api_call == 1 and event_type = "POST", "MEDIUM", "LOW")))
| where has_injection == 1 or (is_api_call == 1 and event_type in ("POST", "PUT"))
| stats count as events, min(_messageTime) as first_seen, max(_messageTime) as last_seen, values(risk) as risks by src_ip, uri_path
| sort by events desc

rule hpe_oneview_code_injection_cve_2025_37164 {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects HPE OneView code injection exploitation (CVE-2025-37164)"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbgn04985en_us&docLocale=en_US"
    cve = "CVE-2025-37164"

  events:
    (
      $e.metadata.event_type = "NETWORK_HTTP"
      and (
        re.regex($e.target.url, `(?i)(oneview|hpe.*ov|ImageStreamer)`) or
        re.regex($e.target.hostname, `(?i)(oneview|hpeov)`)
      )
      and $e.network.http.method in ["POST", "PUT"]
      and (
        re.regex($e.target.url, `(?i)(/rest/|/api/v[0-9]+/)`) or
        re.regex($e.network.http.request_body, `(?i)(eval\(|exec\(|Runtime\.exec|ProcessBuilder|script.*inject)`)
      )
    )
    or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e.principal.process.command_line, `(?i)(oneview|hpov|com\.hp\.ov|ImageStreamer)`)
      and $e.target.process.file.full_path in ["/bin/bash", "/bin/sh", "/usr/bin/python", "/usr/bin/python3", "/usr/bin/perl", "/usr/bin/curl", "/usr/bin/wget"]
    )

  condition:
    $e
}

#event_simpleName=ProcessRollup2
| $falcon.metadata.eventType = "ProcessRollup2"
| ParentBaseFileName = /java|tomcat|catalina/i
  AND CommandLine = /oneview|hpov|com\.hp\.ov|ImageStreamer/i
  AND ImageFileName = /\/bin\/bash|\/bin\/sh|\/usr\/bin\/python|\/usr\/bin\/perl|\/usr\/bin\/curl|\/usr\/bin\/wget|\/usr\/bin\/nc/i
| eval risk_indicator = "child_proc_spawn_from_oneview"
| table timestamp, ComputerName, UserName, ParentBaseFileName, ImageFileName, CommandLine, ParentCommandLine, SHA256HashData, risk_indicator

OR

#event_simpleName=NetworkConnectIP4
| RemotePort in [443, 8443, 80, 8080]
| RemoteAddressIP4 != "127.0.0.1" AND RemoteAddressIP4 != "::1"
| LocalAddressIP4 != RemoteAddressIP4
| ContextBaseFileName = /java|catalina/i
| eval risk_indicator = "oneview_java_outbound_connection"
| table timestamp, ComputerName, UserName, ContextBaseFileName, RemoteAddressIP4, RemotePort, LocalAddressIP4, risk_indicator