Critical HPE OneView Vulnerability Exploited in Large-Scale Botnet Campaign
A coordinated exploitation campaign by the Linux-based RondoDox botnet is actively targeting CVE-2025-37164, a critical remote code execution (RCE) vulnerability in HPE OneView, a widely used IT infrastructure management platform. The flaw, disclosed on 16 December 2025 with a CVSS score of 10, allows unauthenticated attackers to execute arbitrary commands via the ExecuteCommand REST API endpoint due to missing authentication and authorization checks.
Security firm Check Point Research detected the campaign, reporting a sharp escalation from early probing attempts to large-scale automated attacks in January 2026. Between 05:45 and 09:20 UTC on 7 January, over 40,000 exploitation attempts were recorded, with the activity attributed to the RondoDox botnet, which has previously targeted high-profile vulnerabilities like CVE-2025-55182 (React2Shell).
The vulnerability affects HPE OneView’s id-pools functionality, enabling attackers to execute commands directly on the underlying OS without authentication. Check Point reported the campaign to CISA, leading to the flaw’s inclusion in the Known Exploited Vulnerabilities (KEV) catalog on the same day.
Organizations using HPE OneView are at high risk, as the botnet’s focus on unpatched edge and perimeter infrastructure increases the potential for widespread compromise. The incident underscores the urgency of applying patches and implementing compensating controls to mitigate exposure.
Source: https://www.infosecurity-magazine.com/news/rondodox-botnet-targets-hpe/
Hewlett Packard Enterprise TPRM report: https://www.rankiteo.com/company/hewlett-packard-enterprise
"id": "hew1768563793",
"linkid": "hewlett-packard-enterprise",
"type": "Vulnerability",
"date": "12/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Information Technology',
'name': 'Hewlett Packard Enterprise (HPE)',
'type': 'Technology Vendor'}],
'attack_vector': 'Remote Code Execution (RCE)',
'date_detected': '2026-01-07T05:45:00Z',
'date_publicly_disclosed': '2025-12-16',
'description': 'A coordinated exploitation campaign by the Linux-based '
'RondoDox botnet is actively targeting CVE-2025-37164, a '
'critical remote code execution (RCE) vulnerability in HPE '
'OneView, a widely used IT infrastructure management platform. '
'The flaw allows unauthenticated attackers to execute '
'arbitrary commands via the ExecuteCommand REST API endpoint '
'due to missing authentication and authorization checks.',
'impact': {'operational_impact': 'Potential widespread compromise of '
'unpatched edge and perimeter infrastructure',
'systems_affected': 'HPE OneView infrastructure management '
'platforms'},
'initial_access_broker': {'entry_point': 'ExecuteCommand REST API endpoint '
'(HPE OneView id-pools '
'functionality)',
'high_value_targets': 'Unpatched edge and perimeter '
'infrastructure'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Urgency of applying patches and implementing compensating '
'controls to mitigate exposure',
'post_incident_analysis': {'corrective_actions': 'Patch management and '
'compensating controls',
'root_causes': 'Missing authentication and '
'authorization checks in HPE '
"OneView's ExecuteCommand REST API "
'endpoint'},
'recommendations': 'Apply patches for CVE-2025-37164 and implement '
'compensating controls for HPE OneView',
'references': [{'source': 'Check Point Research'},
{'date_accessed': '2026-01-07',
'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'catalog'}],
'regulatory_compliance': {'regulatory_notifications': "Included in CISA's "
'Known Exploited '
'Vulnerabilities (KEV) '
'catalog'},
'response': {'remediation_measures': 'Apply patches and implement '
'compensating controls',
'third_party_assistance': 'Check Point Research'},
'threat_actor': 'RondoDox botnet',
'title': 'Critical HPE OneView Vulnerability Exploited in Large-Scale Botnet '
'Campaign',
'type': 'Botnet Campaign',
'vulnerability_exploited': 'CVE-2025-37164'}