Patch Now: Active Exploitation Underway for Critical HPE OneView Vulnerability
Executive Summary
- Check Point Research identified active, large-scale exploitation of CVE-2025-37164, a critical remote code execution vulnerability affecting HPE OneView.
- The exploitation campaign is attributed to the RondoDox botnet and escalated rapidly to tens of thousands of automated attack attempts.
- Check Point blocked tens of thousands of exploitation attempts through its security infrastructure, highlighting both the severity of the risk and the importance of layered defenses.
- Check Point reported the active exploitation to CISA on January 7, 2026, and the vulnerability was added to the Known Exploited Vulnerabilities KEV catalog the same day.
- Organizations running HPE OneView should patch immediately to reduce exposure to active exploitation.
- Check Point customers remain protected through automatically updated Intrusion Prevention Systems IPS, which block exploitation attempts targeting this vulnerability.
Check Point Research has identified an active, coordinated exploitation campaign targeting CVE-2025-37164, a critical remote code execution vulnerability affecting HPE OneView. The activity, observed directly in Check Point telemetry, is attributed to the RondoDox botnet and represents a sharp escalation from early probing attempts to large-scale, automated attacks.
Check Point has already blocked tens of thousands of exploitation attempts, underscoring both the severity of the vulnerability and the urgency for organizations to act.
On January 7, 2026 Check Point Research reported the campaign to CISA, and the vulnerability was added to the Known Exploited Vulnerabilities KEV catalog the same day.
Vulnerability Overview
On December 16, 2025, Hewlett Packard Enterprise HPE published an advisory for CVE-2025-37164, a critical remote code execution vulnerability in HPE OneView, reported by security researcher Nguyen Quoc Khanh. HPE OneView is an IT infrastructure management platform that automates the management of computation, storage, and networking resources, which is widely used by organizations across various sectors.
The vulnerability resides in the exposed executeCommand REST API endpoint tied to the id-pools functionality. The endpoint accepts attacker supplied input without authentication or authorization checks and executes it directly via the underlying operating system runtime.
This provides attackers with a direct path to remote code execution on affected systems.
Early Activity and Protection Deployment
Check Point promptly addressed this vulnerability by deploying an emergency Quantum Intrusion Prevention System protection for this vulnerability on December 21st, with initial exploitation attempts detected later that same evening. Early analysis of our telemetry indicates that the activity mainly consisted of straightforward proof-of-concept exploitation attempts.
Large Scale Active Exploitation Observed
On January 7, 2026, Check Point Research observed a dramatic escalation.
Between 05:45 and 09:20 UTC, we recorded more than 40,000 attack attempts exploiting CVE-2025-37164 were recorded. Analysis indicates that these attempts were automated, botnet-driven exploitation.
We attributes this activity to the RondoDox botnet based on a distinctive user agent string and the commands observed, including those designed to download RondoDox malware from remote hosts.
Figure 1: Active Exploitation Attempt
Attack Origin and Targeting
The majority of observed activity originated from a single Dutch IP address that has been widely reported online as suspicious. Check Point telemetry confirms this threat actor is highly active.
The campaign impacted organizations across multiple sectors, with the highest concentration of activity observed against government organizations, followed by the financial services and industrial manufacturing sectors.
Targets were distributed globally. The United States experienced the highest volume of attacks, followed by Australia, France, Germany, and Austria.
RondoDox Botnet Activity
RondoDox is an emerging Linux-based botnet that targets internet-facing IoT devices and web servers, and conducts distributed DDoS attacks and perform cryptocurrency mining.
First publicly identified in mid-2025, Check Point observed RondoDox actively exploiting high-profile vulnerabilities, including December’s React2Shell CVE-2025-55182, with a particular focus on unpatched edge and perimeter infrastructure.
The exploitation of CVE-2025-37164 aligns directly with this pattern.
What Organizations Should Do Now
The rapid transition from disclosure to mass exploitation leaves little room for delay.
Organizations running HPE OneView should patch immediately and ensure compensating controls are in place. The inclusion of CVE-2025-37164 in CISA’s KEV catalog reinforces the urgency. This vulnerability is actively exploited and presents a real-world risk.
Check Point Customers Remain Protected
Check Point’s Intrusion Prevention Systems IPS actively block attempts to exploit CVE-2025-37164 and similar vulnerabilities, protecting customers during the critical window between disclosure and patching.
IPS protections in Check Point’s Next Generation Firewall are updated automatically. Whether a vulnerability was disclosed years ago or minutes ago, Check Point customers remain protected from exploitation attempts targeting vulnerable systems across their environments.
Check Point Protections:
IPS – HPE OneView Remote Code Execution CVE-2025-37164
AB – RondoDox Botnet
IOCs
- 192.159.99.95
- 41.231.37.153
- cf90636d7794561da9743a249aa7dbaaa17612700b472f63d6de28930b559b84
You may also like
The Phishing Paradox: The World’s Most Trusted Brands Are Cyber Criminals’ Entry Point of Choice
March 2026 Cyber Threat Landscape Shows No Relief as Ransomware Rebounds and GenAI Risks Intensify
Tax Season 2026: How Cyber Criminals Are Preparing Their Attacks Months in Advance
