Key Highlights
- A critical vulnerability in HPE OneView is being actively exploited by the RondoDox IoT botnet.
- Security researchers blocked more than 40,000 attack attempts linked to the campaign.
- The flaw has been added to CISA’s Known Exploited Vulnerabilities catalogue.
A newly disclosed vulnerability in Hewlett Packard Enterprise (HPE)’s OneView infrastructure management platform is being exploited in an active botnet campaign targeting Internet of Things (IoT) devices and web servers.
Security firm Check Point reported blocking more than 40,000 attack attempts linked to the RondoDox botnet, a Linux-based malware strain known for launching distributed denial-of-service (DDoS) attacks and conducting cryptocurrency mining operations.
The campaign exploits a remote code execution (RCE) flaw tracked as CVE-2025-37164, which affects all HPE OneView versions up to 11.00.
Global Attack Activity Observed
Check Point notified the U.S. Cybersecurity and Infrastructure Security Agency (CISA) of the campaign on January 7, which also marked the peak of observed attack activity so far. On the same day, the vulnerability was added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue, underscoring its severity.
“The majority of observed activity originated from a single Dutch IP address that has been widely reported online as suspicious,” Check Point said. According to the firm, the attacks targeted organizations across multiple industries, with government entities experiencing the highest volume, followed by financial services and industrial manufacturing sectors.
Geographically, the attacks were distributed worldwide. The United States recorded the highest number of incidents, followed by Australia, France, Germany, and Austria, researchers noted.
Patch Guidance and Vendor Response
Following the disclosure, HPE released security patches covering OneView versions 5.20 through 10.20.
The company cautioned that the hotfix must be reapplied after upgrading appliances from version 6.60.xx to 7.00.00, including any HPE Synergy Composer reinstallations.
Despite active exploitation reported by security researchers, HPE stated that it has not yet received direct customer reports confirming real-world compromise linked to the vulnerability.
“This vulnerability can only be exploited if the threat actor has local access to a user’s network, and we encourage our customers to ensure they are using best security practices in their network environment,” HPE said in a statement.
Growing Risk to Infrastructure Platforms
The campaign highlights the increasing attractiveness of software-defined infrastructure management platforms as targets for botnets. Tools like HPE OneView often sit at the center of enterprise environments, making them valuable entry points for attackers seeking to deploy malware, disrupt operations, or gain persistent access.
With the vulnerability now confirmed as actively exploited, organizations running HPE OneView are being urged to apply patches immediately and review network access controls.
The RondoDox campaign serves as another reminder that IoT-focused botnets continue to evolve, increasingly targeting enterprise infrastructure software alongside traditional endpoints.