Vulnerability
Exploitation Wave
Security Patch Release
HPE OneView exploitation and remediation around CVE-2025-37164
Updated 16.01.2026 11:15
Case score 69
Score breakdown
- Total
- 69
- Lead score
- 66
- Support bonus
- +3 / 20
- Scoring support
- 1
- Context members
- 1
Top contributors
- Vulnerability Critical HPE OneView flaw under active exploitation; anchors the case. base
- Exploitation Wave Automated RondoDox-driven exploitation wave against the same CVE; adds direct attack confirmation. support
- Security Patch Release Vendor remediation for the same CVE; useful response context but not attack evidence. context
Case score 69
Members 3
Latest activity 16.01.2026 11:15
Active exploitation
Public PoC/exploit reported
Patch available
CVSS: 10.0 Critical
Active exploitation
Public PoC/exploit reported
Patch available
CVSS: 10.0 Critical
Members 3
First seen 18.12.2025 16:39
Last seen 16.01.2026 11:15
Updated 16.01.2026 11:15
Overview
**CVE-2025-37164** in **HPE OneView** is under active exploitation, with Check Point Research describing a **RondoDox** botnet campaign that moved from December probing to January automation. On 7 January, defenders saw more than 40,000 attempts in a few hours against the exposed **ExecuteCommand REST API**, showing a broad remote-code-execution threat to management-plane deployments.
HPE issued **version 11.00** and hotfixes, and **CISA** placed the flaw in the **KEV catalog** while giving **FCEB** agencies a **January 28** deadline under **BOD 22-01**. Available evidence does not quantify successful compromise, but the activity remains urgent because there is no workaround and the exposed management surface is directly executable.
Attackers are exploiting **CVE-2025-37164** in **HPE OneView**, turning a critical management-plane flaw into a high-volume remote code execution risk for exposed deployments. Check Point Research tied the activity to the Linux-based **RondoDox** botnet and said probing in December 2025 escalated into automated exploitation in January 2026. On 7 January, between 05:45 and 09:20 UTC, Check Point observed more than 40,000 attack attempts and said it blocked tens of thousands of them.
The vulnerable **ExecuteCommand REST API** endpoint in the id-pools function accepts attacker-supplied input without authentication or authorization checks and can pass it to the operating system runtime. That creates a direct path to remote code execution on affected OneView systems. HPE released **version 11.00** and hotfixes for earlier supported releases, and **CISA** added the flaw to the **KEV catalog** on the same day the campaign was reported. HPE also said there are no workarounds, and **FCEB** agencies must secure affected systems by **January 28** under **BOD 22-01**. Available evidence does not quantify how many organizations were hit or how many exploitation attempts succeeded.