"Check Point Research has identified a coordinated attack campaign targeting CVE-2025-37164, a critical vulnerability in HPE OneView. The RondoDox botnet is escalating from early reconnaissance to large-scale, automated attacks. Check Point has already blocked tens of thousands of exploitation attempts. The wave of attacks came quickly after the vulnerability was published. On December 16, 2025, Hewlett Packard Enterprise published an advisory on CVE-2025-37164, a critical remote code execution vulnerability in HPE OneView."
"On January 7, 2026, activity increased explosively. Between 05:45 and 09:20 UTC, Check Point Research recorded more than 40,000 attack attempts. The analyses point to automated, botnet-driven exploitation. Check Point attributes this activity to the RondoDox botnet based on a distinctive user-agent string and the observed commands. The RondoDox botnet targets IoT devices and web servers, carrying out distributed DDoS attacks and cryptocurrency mining."
"Check Point deployed emergency protection via its Quantum Intrusion Prevention System on December 21. That same evening, they detected the first exploitation attempts. What started as simple proof-of-concept attempts quickly escalated into something much bigger. The exploitation of CVE-2025-37164 follows on directly from this. The vulnerability is in the executeCommand REST API endpoint of the id-pools functionality. The endpoint accepts input from attackers without authentication or authorization checks and executes it directly via the underlying operating system's runtime."
On December 16, 2025 Hewlett Packard Enterprise published an advisory on CVE-2025-37164, a critical remote code execution vulnerability in HPE OneView. The vulnerability permits unauthenticated attackers to execute code directly and received the highest CVE score. Check Point deployed emergency protection via its Quantum Intrusion Prevention System on December 21 and detected initial exploitation attempts that evening. Activity escalated on January 7, 2026 when more than 40,000 automated attack attempts occurred between 05:45 and 09:20 UTC. Check Point attributes the activity to the RondoDox botnet based on a distinctive user-agent string and observed commands. The executeCommand REST API in the id-pools functionality accepts unauthenticated input and executes it via the underlying OS runtime. Most observed activity originated from a single Dutch IP address.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]