- HPE OneView RCE Critical Flaw (CVE-2025-37164) Exploited Despite Patch Release
- Over 40,000 botnet-driven attacks observed, primarily from RondoDox targeting key sectors
- CPR and CISA urge immediate patching due to active, high-severity exploitation
There is currently a “dramatic escalation” in the exploitation of a critical vulnerability in HPE OneView, experts warned.
HPE OneView is a unified IT infrastructure management platform that automates provisioning and lifecycle management using software-defined templates.
Cybersecurity experts Check Point Research (CPR) are urging all users to apply the available patch immediately, after they discovered a remote code execution (RCE) vulnerability in mid-December 2025 that allowed threat actors to execute malware on underlying operating systems.
Real world risk
The bug is now tracked as CVE-2025-37164 and has been assigned a severity score of 9.8/10 (critical).
On December 21, 2025, HPE released a patch and that same night saw the first exploitation attempts. At first, these attempts were nothing more than probes and reconnaissance, as cybercriminals tested the waters to see if, how, and to what extent the bug could actually be abused.
A few weeks later, starting on January 7, CPR investigators observed “a dramatic escalation,” recording more than 40,000 attack attempts in less than four hours. The attempts were automated, botnet-driven, and attributed to the RondoDox botnet.
This is a relatively new Linux-based botnet that does all the usual things: it facilitates distributed denial of service (DDoS) attacks and crypto mining.
Most of the activity comes from a single IP address in the Netherlands, CPR said, emphasizing that the IP address was “widely reported” as suspicious. RondoDox primarily targets government organizations, but also financial services and industrial manufacturing companies. The majority of victims are in the United States, followed by Australia, France, Germany and Austria.
Considering all this, CPR says companies should accelerate patching: “Organizations running HPE OneView should apply patches immediately and ensure compensating controls are in place,” it said in a security advisory.
Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its catalog of known exploited flaws (KEV), which CPR stressed “reinforces the urgency.”
“This vulnerability is actively exploited and presents a real-world risk.”
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
