- HPE OneView RCE critical flaw (CVE-2025-37164) exploited despite patch release
- More than 40,000 botnet attacks observed, mostly from RondoDox targeting key industries
- CPR and CISA request immediate update due to active and high severity exploitation
A “dramatic escalation” in the exploitation of a critical HPE OneView vulnerability is underway, experts have warned.
HPE OneView is a unified IT infrastructure management platform that automates provisioning and lifecycle management using software-defined templates.
Cybersecurity experts Check Point Research (CPR) are urging all users to immediately apply the available patch, after discovering a remote code execution (RCE) vulnerability in mid-December 2025 that allowed malicious actors to execute malware on underlying operating systems.
Real risk
The bug is now tracked as CVE-2025-37164 and has received a severity score of 9.8/10 (critical).
On December 21, 2025, HPE released a patch and noticed the first exploitation attempts that same night. At first, these attempts were little more than probing and reconnaissance, with cybercriminals testing the waters to see if, how, and to what extent the bug could actually be misused.
A few weeks later, from January 7, CPR researchers observed “a dramatic escalation”, recording more than 40,000 attempted attacks in less than four hours. The attempts were automated, botnet-driven, and attributed to the RondoDox botnet.
This is a relatively new, Linux-based botnet that does all the usual things: facilitates distributed denial of service (DDoS) attacks and cryptomining.
Most of the activity comes from a single IP address in the Netherlands, the CPR said, noting that the IP address was “widely flagged” as suspicious. RondoDox primarily targets government organizations, but also financial services companies and those in the industrial manufacturing sector. The majority of victims are in the United States, followed by Australia, France, Germany and Austria.
All things considered, the CPR says companies should accelerate patching: “Organizations running HPE OneView should patch immediately and ensure compensating controls are in place,” it said in a security advisory.
In the meantime, the US Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its catalog of known exploited vulnerabilities (KEV), which, the CPR further emphasizes, “increases the urgency”.
“This vulnerability is being actively exploited and poses a real risk.”
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
