- Critical HPE OneView RCE Vulnerability (CVE-2025-37164) Exploited Despite Patch Release
- Over 40,000 botnet-powered attacks observed, mostly from RondoDox targeting key sectors
- CPR and CISA encourage immediate patching due to high severity active exploitation
A “dramatic escalation” in the exploitation of a critical vulnerability in HPE OneView is currently taking place, experts have warned.
HPE OneView is a unified IT infrastructure management platform that automates delivery and lifecycle management using software-defined templates.
Cybersecurity experts, Check Point Research (CPR) are urging all users to apply the available patch immediately after they discovered a remote code execution (RCE) vulnerability in mid-December 2025 that allowed threat actors to run malware on underlying operating systems.
Risk in the real world
The bug is now tracked as CVE-2025-37164 and was given a severity score of 9.8/10 (Critical).
On December 21, 2025, HPE released a patch and saw the first exploit attempts that same night. Initially, these trials were nothing more than probing and reconnaissance, as cybercriminals tested the waters to see if the flaw could really be exploited, how, and to what extent.
A few weeks later, starting on January 7, CPR researchers observed “a dramatic escalation”, recording more than 40,000 attack attempts in less than four hours. The attempts were automated, botnet-driven and attributed to the RondoDox botnet.
This is a relatively new, Linux-based botnet that does all the usual things – facilitate Distributed Denial of Service (DDoS) attacks and cryptomining.
Most of the activity comes from a single IP address in the Netherlands, CPR said, stressing that the IP address was “generally reported” as suspicious. RondoDox primarily targets government organizations, but also financial services companies and those in the industrial manufacturing sector. The majority of victims are located in the United States, followed by Australia, France, Germany and Austria.
All things considered, CPR says companies should expedite patching: “Organizations running HPE OneView should patch immediately and ensure compensating controls are in place,” a security advisory says.
Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its catalog of known exploitable flaws (KEV), which, CPR further stressed, “amplifies the urgency”.
“This vulnerability is being actively exploited and poses a real-world risk.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
