RondoDox Botnet Targets HPE OneView Vulnerability in Exploitation Wave

HPE OneView is a widely deployed infrastructure‑management suite that centralizes compute, storage and networking operations for data‑center environments. The recently disclosed CVE‑2025‑37164 flaw resides in the ExecuteCommand REST endpoint tied to the id‑pools feature, allowing unauthenticated callers to inject arbitrary commands that run directly on the host operating system. With a CVSS v3.1 rating of 10, the vulnerability grants full remote code execution and can bypass traditional perimeter defenses, making any unpatched appliance a high‑value target for attackers.

The exploitation surge is being driven by the Linux‑based RondoDox botnet, which has evolved from opportunistic probing to fully automated, large‑scale attacks. Check Point Research recorded more than 40,000 intrusion attempts within a four‑hour window on 7 January, and tens of thousands of additional probes have been blocked since the campaign’s emergence. By leveraging compromised edge devices, RondoDox can propagate laterally across corporate networks, amplifying the risk to critical workloads. Inclusion of the flaw in CISA’s Known Exploited Vulnerabilities catalog signals a coordinated government‑industry response to curb its spread.

Enterprises should treat CVE‑2025‑37164 as a top‑priority patching item and verify that all OneView appliances run the latest firmware released by HPE. In parallel, deploying network‑level segmentation, restricting access to the ExecuteCommand API, and enabling strict outbound filtering can limit botnet reach. Continuous threat‑intelligence feeds, such as those from Check Point and CISA, help security teams detect anomalous traffic early and adjust detection rules accordingly. As attackers increasingly weaponize unmanaged infrastructure, a layered defense strategy that combines timely updates with robust monitoring will be essential to protect critical data‑center operations.