A critical HPE OneView flaw is now being exploited at scale, with Check Point tying mass, automated attacks to the RondoDox botnet.
The security outfit says it has identified “large-scale exploitation” of CVE-2025-37164, a maximum-severity remote code execution bug in HPE’s data center management platform. Check Point has tied the activity to RondoDox, a Linux-based botnet that weaponizes publicly known vulnerabilities across routers, DVRs, web servers, and other devices, using an “exploit-shotgun” approach to build sprawling botnet networks for DDoS, cryptomining, and secondary payload delivery.
When HPE first disclosed the bug in mid-December, its fix was greeted with urgency because of its perfect 10 CVSS severity score and the fact that OneView controls servers, storage, and networking from a central point – essentially a high-privilege command center inside many enterprise environments.
At that stage, the big unknown was whether miscreants were moving past proof-of-concept exploitation to full-blown campaigns. Now that uncertainty is gone, tens of thousands of exploit attempts have been observed, Check Point’s telemetry shows, with automated scanners targeting vulnerable systems en masse.
The firm says it observed a “dramatic escalation” in exploit activity on January 7, the same day the flaw was added to CISA’s list of actively exploited flaws.
“Between 05:45 and 09:20 UTC, we recorded more than 40,000 attack attempts exploiting CVE-2025-37164,” Check Point said in a Thursday blog post. “Analysis indicates that these attempts were automated, botnet-driven exploitation.
“We attribute this activity to the RondoDox botnet based on a distinctive user agent string and the commands observed, including those designed to download RondoDox malware from remote hosts.”
Check Point says the majority of the activity came from a single Dutch IP address already well known in threat intel circles, suggesting a particularly active operator.
