An active, coordinated exploitation campaign conducted by a botnet has been identified by Check Point Research which is targeting a critical vulnerability affecting HPE OneView.
The activity has been attributed to the Linux-based RondoDox botnet and Check Point warned the campaign represents a sharp escalation from early probing attempts to large-scale, automated attacks.
The HPE OneView vulnerability, CVE-2025-37164, was first published to the National Vulnerability Database (NVD) on 16 December, 2025 and was given a CVSS 3.1 score of 10 (critical) by HPE.
In an update published on 15 January, Check Point said it has already blocked tens of thousands of exploitation attempts, underscoring both the severity of the vulnerability and the urgency for organizations to act.
After detecting early exploitation activity and deploying protection measures against the vulnerability in December 2025, Check Point observed a dramatic increase in active exploitation in January 2026.
On 7 January, between 05:45 and 09:20 UTC, the firm recorded more than 40,000 attack attempts exploiting CVE-2025-37164.
“Analysis indicates that these attempts were automated, botnet-driven exploitation,” Check Point said.
RondoDox was first publicly identified in mid-2025, and Check Point said it has observed it actively exploiting high-profile vulnerabilities, including December’s React2Shell CVE-2025-55182, with a particular focus on unpatched edge and perimeter infrastructure.
Check Point Research reported the campaign to CISA the same day, and the vulnerability was added to the Known Exploited Vulnerabilities (KEV) catalog the same day.
The HPE OneView is an IT infrastructure management platform that automates the management of computation, storage, and networking resources, which is widely used by organizations across various sectors.
The critical RCE vulnerability resides in the exposed ExecuteCommand REST API endpoint tied to the id-pools functionality.
The endpoint accepts attacker supplied input without authentication or authorization checks and executes it directly via the underlying operating system runtime, without authentication or authorization checks.
This provides attackers with a direct path to remote code execution on affected systems.
“Organizations running HPE OneView should patch immediately and ensure compensating controls are in place. The inclusion of CVE-2025-37164 in CISA’s KEV catalog reinforces the urgency. This vulnerability is actively exploited and presents a real-world risk,” Check Point said.
