RondoDox botnet linked to large-scale exploit of critical HPE OneView bug
(2026/01/16)
- Reference: 1768568429
- News link: https://www.theregister.co.uk/2026/01/16/rondodox_botnet_hpe_oneview/
- Source link:
A critical HPE OneView flaw is now being exploited at scale, with Check Point tying mass, automated attacks to the RondoDox botnet.
The security outfit says it has identified "large-scale exploitation" of CVE-2025-37164, a maximum-severity remote code execution bug in HPE's data center management platform. Check Point has tied the activity to RondoDox, a Linux-based botnet that weaponizes publicly known vulnerabilities across routers, DVRs, web servers, and other devices, [1]using an "exploit-shotgun" approach to build sprawling botnet networks for DDoS, cryptomining, and secondary payload delivery.
When HPE first disclosed the bug in mid-December, its fix was greeted with urgency because of its perfect 10 CVSS severity score and the fact that OneView controls servers, storage, and networking from a central point – essentially a high-privilege command center inside many enterprise environments.
[2]
At that stage, the big unknown was whether miscreants were moving past proof-of-concept exploitation to full-blown campaigns. Now that uncertainty is gone, tens of thousands of exploit attempts have been observed, Check Point's telemetry shows, with automated scanners targeting vulnerable systems en masse.
[3]
[4]
The firm says it observed a "dramatic escalation" in exploit activity on January 7, the same day the flaw [5]was added to CISA's list of actively exploited flaws .
"Between 05:45 and 09:20 UTC, we recorded more than 40,000 attack attempts exploiting CVE-2025-37164," [6]Check Point said in a Thursday blog post . "Analysis indicates that these attempts were automated, botnet-driven exploitation.
[7]
"We attribute this activity to the RondoDox botnet based on a distinctive user agent string and the commands observed, including those designed to download RondoDox malware from remote hosts."
Check Point says the majority of the activity came from a single Dutch IP address already well known in threat intel circles, suggesting a particularly active operator.
[8]Flipping one bit leaves AMD CPUs open to VM vuln
[9]An early end to the holidays: 'Heartbleed of MongoDB' is now under active exploit
[10]Spy turned startup CEO: 'The WannaCry of AI will happen'
[11]Apple, Google forced to issue emergency 0-day patches
It added that the attacks were global, with the United States seeing the highest volume, followed by Australia, France, Germany, and Austria, and activity concentrated mainly against government organizations, along with financial services and industrial manufacturers.
HPE has yet to respond to The Register 's questions on Friday, but told us earlier this month that while it had not received reports from customers of the vulnerability being exploited, "it is important that OneView users apply the patch as soon as possible."
If there's a takeaway from the latest OneView drama, it's that management platforms can no longer be left to rot on long patch cycles – because the adversaries definitely won't wait. ®
Get our [12]Tech Resources
[1] https://www.theregister.com/2025/10/09/rondodox_botnet_fires_exploit_shotgun/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aWpuvay3IhlD6cYrxJ6NiQAAAsM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWpuvay3IhlD6cYrxJ6NiQAAAsM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aWpuvay3IhlD6cYrxJ6NiQAAAsM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2026/01/08/cisa_oneview_powerpoint_bugs/
[6] https://blog.checkpoint.com/research/patch-now-active-exploitation-underway-for-critical-hpe-oneview-vulnerability/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWpuvay3IhlD6cYrxJ6NiQAAAsM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2026/01/15/stackwarp_bug_amd_cpus/
[9] https://www.theregister.com/2025/12/30/mongodb_vuln_exploited_cve_2025_14847/
[10] https://www.theregister.com/2025/12/22/zafran_security_ceo/
[11] https://www.theregister.com/2025/12/15/apple_follows_google_by_emergency/
[12] https://whitepapers.theregister.com/
The security outfit says it has identified "large-scale exploitation" of CVE-2025-37164, a maximum-severity remote code execution bug in HPE's data center management platform. Check Point has tied the activity to RondoDox, a Linux-based botnet that weaponizes publicly known vulnerabilities across routers, DVRs, web servers, and other devices, [1]using an "exploit-shotgun" approach to build sprawling botnet networks for DDoS, cryptomining, and secondary payload delivery.
When HPE first disclosed the bug in mid-December, its fix was greeted with urgency because of its perfect 10 CVSS severity score and the fact that OneView controls servers, storage, and networking from a central point – essentially a high-privilege command center inside many enterprise environments.
[2]
At that stage, the big unknown was whether miscreants were moving past proof-of-concept exploitation to full-blown campaigns. Now that uncertainty is gone, tens of thousands of exploit attempts have been observed, Check Point's telemetry shows, with automated scanners targeting vulnerable systems en masse.
[3]
[4]
The firm says it observed a "dramatic escalation" in exploit activity on January 7, the same day the flaw [5]was added to CISA's list of actively exploited flaws .
"Between 05:45 and 09:20 UTC, we recorded more than 40,000 attack attempts exploiting CVE-2025-37164," [6]Check Point said in a Thursday blog post . "Analysis indicates that these attempts were automated, botnet-driven exploitation.
[7]
"We attribute this activity to the RondoDox botnet based on a distinctive user agent string and the commands observed, including those designed to download RondoDox malware from remote hosts."
Check Point says the majority of the activity came from a single Dutch IP address already well known in threat intel circles, suggesting a particularly active operator.
[8]Flipping one bit leaves AMD CPUs open to VM vuln
[9]An early end to the holidays: 'Heartbleed of MongoDB' is now under active exploit
[10]Spy turned startup CEO: 'The WannaCry of AI will happen'
[11]Apple, Google forced to issue emergency 0-day patches
It added that the attacks were global, with the United States seeing the highest volume, followed by Australia, France, Germany, and Austria, and activity concentrated mainly against government organizations, along with financial services and industrial manufacturers.
HPE has yet to respond to The Register 's questions on Friday, but told us earlier this month that while it had not received reports from customers of the vulnerability being exploited, "it is important that OneView users apply the patch as soon as possible."
If there's a takeaway from the latest OneView drama, it's that management platforms can no longer be left to rot on long patch cycles – because the adversaries definitely won't wait. ®
Get our [12]Tech Resources
[1] https://www.theregister.com/2025/10/09/rondodox_botnet_fires_exploit_shotgun/
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aWpuvay3IhlD6cYrxJ6NiQAAAsM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWpuvay3IhlD6cYrxJ6NiQAAAsM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aWpuvay3IhlD6cYrxJ6NiQAAAsM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2026/01/08/cisa_oneview_powerpoint_bugs/
[6] https://blog.checkpoint.com/research/patch-now-active-exploitation-underway-for-critical-hpe-oneview-vulnerability/
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aWpuvay3IhlD6cYrxJ6NiQAAAsM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2026/01/15/stackwarp_bug_amd_cpus/
[9] https://www.theregister.com/2025/12/30/mongodb_vuln_exploited_cve_2025_14847/
[10] https://www.theregister.com/2025/12/22/zafran_security_ceo/
[11] https://www.theregister.com/2025/12/15/apple_follows_google_by_emergency/
[12] https://whitepapers.theregister.com/
Re: confused
TimMaher
Never mind.
It’s Friday.
Have beer.
confused
(Nevermind can't delete this)