CoreTechDaily

Urgent Action Required: New Botnet Exploits HPE OneView Vulnerability

Experts warn of a critical HPE OneView vulnerability being exploited by the RondoDox botnet, urging immediate patching.

Updated Jan 20, 2026
Tags:HPE OneViewsecuritycybersecurityvulnerabilityBotnet
Urgent Action Required: New Botnet Exploits HPE OneView Vulnerability
Andrew Wallace

Andrew Wallace

Professional Tech Editor

Focuses on professional-grade hardware, software, and enterprise solutions.

  • Critical HPE OneView RCE flaw (CVE-2025-37164) exploited despite patch release
  • Over 40,000 botnet-driven attacks observed, mainly from RondoDox targeting key sectors
  • CPR and CISA urge immediate patching due to active, high-severity exploitation

A significant increase in the exploitation of a critical vulnerability in HPE OneView has been reported by cybersecurity experts.

HPE OneView is a unified IT infrastructure management platform that automates provisioning and lifecycle management using software-defined templates.

Cybersecurity experts from Check Point Research (CPR) are advising all users to apply the available patch immediately, following their discovery of a remote code execution (RCE) vulnerability in mid-December 2025 that allows threat actors to execute malware on the underlying operating systems.

Real-world risk

This vulnerability, tracked as CVE-2025-37164, has a severity score of 9.8/10 (critical).

On December 21, 2025, HPE released a patch, but exploitation attempts began the same night. Initially, these attempts were limited to probing and reconnaissance as cybercriminals assessed the vulnerability's potential for abuse.

By January 7, researchers from CPR noted a “dramatic escalation,” recording over 40,000 attack attempts within just four hours. These attempts were automated and attributed to the RondoDox botnet.

RondoDox is a relatively new, Linux-based botnet that conducts typical activities such as facilitating Distributed Denial of Service (DDoS) attacks and cryptomining.

Most of the activity originates from a single IP address in the Netherlands, which has been widely reported as suspicious. RondoDox primarily targets government organizations, financial services, and industrial manufacturing sectors, with most victims located in the United States, followed by Australia, France, Germany, and Austria.

Given the circumstances, CPR emphasizes the need for businesses to expedite patching: “Organizations running HPE OneView should patch immediately and ensure compensating controls are in place,” they stated in a security advisory.

Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its catalog of known exploited flaws (KEV), further emphasizing the urgency of the situation.

“This vulnerability is actively exploited and presents a real-world risk.”

React to this story

Related Posts

Understanding the Risks of Hijacked .arpa Domains in Phishing Scams

Mar 2, 2026

Understanding the Risks of Hijacked .arpa Domains in Phishing Scams

Learn how hackers exploit .arpa domains for phishing attacks, and what you can do to protect yourself.

How Cybercriminals Are Using Women for Social Engineering Scams

Mar 2, 2026

How Cybercriminals Are Using Women for Social Engineering Scams

Discover how cybercriminals are recruiting women to enhance their social engineering scams, offering significant pay and targeting major companies.

Concerns Over Lovable's Malware-Ridden Apps: What Users Need to Know

Mar 2, 2026

Concerns Over Lovable's Malware-Ridden Apps: What Users Need to Know

Lovable's coding service faces accusations of hosting malware, prompting developers to reassess their app security practices.

How Cloud Migration Supports AI Opportunities for Businesses

Mar 1, 2026

How Cloud Migration Supports AI Opportunities for Businesses

Explore the critical steps in cloud migration that enable businesses to leverage AI effectively, including governance and security.