Detect HPE OneView Code Injection Exploitation (CVE-2025-37164) in Splunk
Detects exploitation of CVE-2025-37164, a code injection vulnerability (CWE-94) in Hewlett Packard Enterprise OneView. This vulnerability is listed in the CISA Known Exploited Vulnerabilities catalog and allows attackers to inject and execute arbitrary code through the OneView management platform, potentially compromising datacenter infrastructure management.
MITRE ATT&CK
SPL Detection Query
index=* (sourcetype=hpe_oneview OR sourcetype=syslog OR sourcetype=wineventlog)
| eval is_oneview_related=if(match(source, "(?i)oneview") OR match(host, "(?i)oneview") OR match(_raw, "(?i)(hpe.*oneview|oneview.*hpe|com\.hp\.ov|ImageStreamer)"), 1, 0)
| where is_oneview_related=1
| eval suspicious_cmd=if(match(_raw, "(?i)(eval|exec|Runtime\.exec|ProcessBuilder|shell_exec|system\(|popen|subprocess|os\.system)"), 1, 0)
| eval child_proc_spawn=if(match(_raw, "(?i)(bash|/bin/sh|/bin/sh|python|perl|ruby|curl|wget|nc |ncat|socat)") AND match(_raw, "(?i)(java|tomcat|jvm)"), 1, 0)
| eval inbound_exploit=if(match(_raw, "(?i)(POST|PUT).*(/rest/|/api/v1/|/api/v2/).*script") OR match(_raw, "(?i)code.?injection"), 1, 0)
| where suspicious_cmd=1 OR child_proc_spawn=1 OR inbound_exploit=1
| eval risk_score=case(
suspicious_cmd=1 AND child_proc_spawn=1, 90,
child_proc_spawn=1, 75,
inbound_exploit=1, 80,
suspicious_cmd=1, 60,
true(), 50
)
| eval cve="CVE-2025-37164"
| stats count as event_count, min(_time) as first_seen, max(_time) as last_seen, max(risk_score) as max_risk, values(suspicious_cmd) as suspicious_cmds by host, src_ip, cve
| where event_count > 0
| sort - max_risk
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S"), last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")Identifies HPE OneView exploitation attempts by detecting suspicious code execution patterns, child process spawning from Java/JVM processes associated with OneView, and HTTP requests targeting OneView REST API endpoints with injection payloads.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate OneView scripting API usage by authorized administrators
- HPE OneView appliance software update processes that invoke shell commands
- Security scanning tools performing authorized vulnerability assessments
- OneView automation scripts using the REST API for infrastructure management
Other platforms for CVE-2025-37164
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1HPE OneView REST API Code Injection Simulation
Expected signal: HTTP POST request to /rest/login-sessions with injection pattern in request body visible in web access logs; network flow from test host to OneView appliance on port 443
- Test 2Simulated Child Process Spawn from Java Context
Expected signal: Process event showing java parent spawning /bin/bash child process; bash executing id, hostname, whoami commands
- Test 3OneView API Reconnaissance — Endpoint Enumeration
Expected signal: Multiple HTTP GET requests to OneView API endpoints from a single source IP within a short timeframe; mix of 401, 403, and potentially 200 responses visible in access logs
- Test 4Reverse Shell Establishment Post-Injection Simulation
Expected signal: Outbound TCP connection from OneView appliance or compromised host to attacker IP on non-standard port; ncat or bash process with network socket; network flow egress event
Unlock Pro Content
Get the full detection package for CVE-2025-37164 including response playbook, investigation guide, and atomic red team tests.