RondoDox botnet exploits critical HPE OneView bug

RondoDox botnet exploits critical HPE OneView bug

Briefly

"The security outfit says it has identified "large-scale exploitation" of CVE-2025-37164, a maximum-severity remote code execution bug in HPE's data center management platform. Check Point has tied the activity to RondoDox, a Linux-based botnet that weaponizes publicly known vulnerabilities across routers, DVRs, web servers, and other devices, using an "exploit-shotgun" approach to build sprawling botnet networks for DDoS, cryptomining, and secondary payload delivery."

""Between 05:45 and 09:20 UTC, we recorded more than 40,000 attack attempts exploiting CVE-2025-37164," Check Point said in a Thursday blog post. "Analysis indicates that these attempts were automated, botnet-driven exploitation. "We attribute this activity to the RondoDox botnet based on a distinctive user agent string and the commands observed, including those designed to download RondoDox malware from remote hosts.""

"When HPE first disclosed the bug in mid-December, its fix was greeted with urgency because of its perfect 10 CVSS severity score and the fact that OneView controls servers, storage, and networking from a central point - essentially a high-privilege command center inside many enterprise environments. At that stage, the big unknown was whether miscreants were moving past proof-of-concept exploitation to full-blown campaigns. Now that uncertainty is gone, tens of thousands of exploit attempts have been observed, Check Point's telemetry shows."