Do Son 
Check Point Research uncovered a massive, automated assault on HPE OneView. Researchers observed a botnet launching over 40,000 exploitation attempts in a span of just four hours, targeting a critical vulnerability in the widely used platform.
The campaign, attributed to the emerging RondoDox botnet, targets CVE-2025-37164, a critical remote code execution (RCE) flaw that allows unauthenticated attackers to seize control of the system.
The vulnerability lies deep within the executeCommand REST API endpoint of HPE OneView’s “id-pools” functionality. According to the report, this endpoint “accepts attacker supplied input without authentication or authorization checks and executes it directly via the underlying operating system runtime”.
This creates a direct highway for attackers. By sending a single malicious request, they can bypass security checks entirely and run arbitrary code on the server.
Hewlett Packard Enterprise (HPE) published an advisory for the flaw on December 16, 2025. Early activity was limited to “straightforward proof-of-concept exploitation attempts”.
That changed dramatically on January 7, 2026. Between 05:45 and 09:20 UTC, Check Point recorded a “dramatic escalation” consisting of tens of thousands of automated attacks.
“The activity… represents a sharp escalation from early probing attempts to large-scale, automated attacks,” the researchers noted.
The perpetrator behind this blitz is RondoDox, a Linux-based botnet first identified in mid-2025. Known for targeting IoT devices and web servers for DDoS attacks and cryptocurrency mining, the group has quickly added high-profile vulnerabilities to its arsenal.
Check Point identified the group through a distinct fingerprint: a User-Agent string reading Mozilla/5.0 (rondo2012@atomicmall.to) and specific commands designed to download RondoDox malware. The majority of the traffic originated from a single, highly suspicious Dutch IP address.
The highest concentration of activity targeted government organizations, followed closely by the financial services and industrial manufacturing sectors.
Geographically, the United States saw the highest volume of attacks, with significant activity also reported in Australia, France, Germany, and Austria.
Check Point reported the active exploitation to CISA on January 7, and the vulnerability was immediately added to the Known Exploited Vulnerabilities (KEV) catalog.
Organizations running HPE OneView are urged to patch immediately. “Check Point has already blocked tens of thousands of exploitation attempts, underscoring both the severity of the vulnerability and the urgency for organizations to act”.
Related Posts:
- PoC Available: Unauthenticated HPE OneView RCE (CVSS 10.0) Exploits Hidden ID Pools API
- “RondoDoX” Strikes Back: Exposed Logs Reveal Massive 9-Month Campaign Targeting Next.js and IoT
- CVE-2025-37164 (CVSS 10.0): Unauthenticated HPE OneView RCE Grants Total Control Over Data Centers
- RondoDox Botnet Unleashed: New Malware Uses ‘Exploit Shotgun’ to Target 50+ Router and IoT Flaws
- RondoDox: Sophisticated Botnet Exploits TBK DVRs & Four-Faith Routers for DDoS Attacks
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
