Check Point Research has identified an active, coordinated exploitation campaign targeting CVE-2025-37164, a critical remote code execution vulnerability affecting HPE OneView. The activity, observed directly in Check Point telemetry, is attributed to the RondoDox botnet and represents a sharp escalation from early probing attempts to large-scale, automated attacks.
Check Point has already blocked tens of thousands of exploitation attempts, underscoring both the severity of the vulnerability and the urgency for organizations to act.
On January 7, 2026 Check Point Research reported the campaign to CISA, and the vulnerability was added to the Known Exploited Vulnerabilities KEV catalog the same day.
Vulnerability Overview
On December 16, 2025 Hewlett Packard Enterprise HPE published an advisory for CVE-2025-37164, a critical remote code execution vulnerability in HPE OneView, reported by security researcher Nguyen Quoc Khanh. HPE OneView is an IT infrastructure management platform that automates the management of computation, storage, and networking resources, and is widely used by organizations across various sectors.
The vulnerability resides in the exposed executeCommand REST API endpoint tied to the id-pools functionality. The endpoint accepts attacker supplied input without authentication or authorization checks and executes it directly via the underlying operating system runtime, without authentication or authorization checks.
This provides attackers with a direct path to remote code execution on affected systems.
Early Activity and Protection Deployment
Check Point promptly addressed this vulnerability by deploying an emergency Quantum Intrusion Prevention System protection for this vulnerability on December 21st. Initial exploitation attempts detected later that same evening. Early analysis of our telemetry indicates that the activity mainly consisted of straightforward proof-of-concept exploitation attempts.
Large Scale Active Exploitation Observed
On January 7, 2026, Check Point Research observed a dramatic escalation.
Between 05:45 and 09:20 UTC, we recorded more than 40,000 attack attempts exploiting CVE-2025-37164 were recorded. Analysis indicates that these attempts were automated, botnet-driven exploitation.
We attribute this activity to the RondoDox botnet based on a distinctive user agent string and the commands observed, including those designed to download RondoDox malware from remote hosts.
Figure 1: Active Exploitation Attempt
Attack Origin and Targeting
The majority of the activity we observed originated from a single Dutch IP address that has been widely reported online as suspicious. Check Point telemetry confirms this threat actor is highly active.
The campaign impacted organizations across multiple sectors, with the highest concentration of activity observed against government organizations, followed by the financial services and industrial manufacturing sectors.
Targets were distributed globally. The United States experienced the highest volume of attacks, followed by Australia, France, Germany, and Austria.
RondoDox Botnet Activity
RondoDox is an emerging Linux-based botnet that targets internet-facing IoT devices and web servers, and primarily conducts distributed DDoS attacks and perform cryptocurrency mining.
First publicly identified in mid-2025, Check Point has observed RondoDox actively exploiting high-profile vulnerabilities, including December’s React2Shell CVE-2025-55182, with a particular focus on unpatched edge and perimeter infrastructure.
The exploitation of CVE-2025-37164 aligns directly with this pattern.
What Organizations Should Do Now
The rapid transition from disclosure to mass exploitation leaves little room for delay.
Organizations running HPE OneView should patch immediately and ensure compensating controls are in place. The inclusion of CVE-2025-37164 in CISA’s KEV catalog reinforces the urgency. This vulnerability is actively exploited and presents a real-world risk.
Check Point Customers Remain Protected
Check Point’s Intrusion Prevention Systems IPS actively block attempts to exploit CVE-2025-37164 and similar vulnerabilities, protecting customers during the critical window between disclosure and patching.
IPS protections in Check Point’s Next Generation Firewall are updated automatically. Whether a vulnerability was disclosed years ago or minutes ago, Check Point customers remain protected from exploitation attempts targeting vulnerable systems across their environments.
