HPE OneView actively exploited remote code execution flaw (CVE-2025-37164)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-37164 in HPE OneView is being actively exploited, with Check Point Research reporting a Linux-based RondoDox botnet campaign that escalated in January 2026 after early probing in December 2025. The firm recorded more than 40,000 attack attempts on 7 January between 05:45 and 09:20 UTC and said the activity was automated, botnet-driven exploitation. The flaw is a critical RCE in the exposed ExecuteCommand REST API endpoint, and CISA added it to the KEV catalog.
Cases
Related Happenings
Everest Forms Pro CVE-2026-3300 active exploitation wave
Exploitation Wave
H score87
First: 05.06.2026 11:38
Last: 05.06.2026 11:38
Sources 1
About this happening:
Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...
Everest Forms Pro CVE-2026-3300 active exploitation wave
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-3300** in **Everest Forms Pro** is driving **complete site compromise** risk for WordPress sites. Attackers have been using the flaw for arbitrar...
Magento exploitation wave for CVE-2026-45247
Exploitation Wave
H score9
First: 04.06.2026 10:19
Last: 04.06.2026 10:19
Sources 1
About this happening:
Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
Magento exploitation wave for CVE-2026-45247
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-45247** is hitting **Mirasvit Cache Warmer** on **Magento** stores, with malicious requests carrying serialized PHP payloads that can lead to **r...
PAN-OS GlobalProtect CVE-2026-0257 exploitation wave
Exploitation Wave
H score18
First: 01.06.2026 11:30
Last: 01.06.2026 11:30
Sources 1
About this happening:
A **CVE-2026-0257** exploitation wave is hitting **Palo Alto Networks PAN-OS GlobalProtect** appliances, creating **unauthorized VPN access** risk for **multiple customers**. **Ra...
PAN-OS GlobalProtect CVE-2026-0257 exploitation wave
Exploitation WaveAbout this happening: A **CVE-2026-0257** exploitation wave is hitting **Palo Alto Networks PAN-OS GlobalProtect** appliances, creating **unauthorized VPN access** risk for **multiple customers**. **Ra...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
H score89
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
H score38
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Timeline
-
08.01.2026 09:45 3 articles · 6mo ago
HPE warns on December 16 about OneView RCE and advises upgrading
Mitigation Patch UpdateHPE warns on December 16 that CVE-2025-37164 in HPE OneView could let a remote unauthenticated user achieve remote code execution, says all OneView versions released before v11.00 are affected, and advises customers to upgrade to OneView version 11.00 or later because no workarounds or mitigations are available.
Show sources
- CISA tags max severity HPE OneView flaw as actively exploited — www.bleepingcomputer.com — 08.01.2026 09:45
- RondoDox Botnet Targets HPE OneView Vulnerability in Exploitation Wave — www.infosecurity-magazine.com — 16.01.2026 11:15
- HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution — thehackernews.com — 18.12.2025 16:39
-
08.01.2026 09:45 2 articles · 6mo ago
CISA flags CVE-2025-37164 in HPE OneView as actively exploited
Initial DisclosureCISA flags CVE-2025-37164 in HPE OneView as actively exploited, adds the flaw to its catalog of vulnerabilities exploited in the wild, and gives Federal Civilian Executive Branch agencies three weeks to secure affected systems by January 28 under BOD 22-01 while urging other organizations to patch or discontinue use if mitigations are unavailable.
Show sources
- CISA tags max severity HPE OneView flaw as actively exploited — www.bleepingcomputer.com — 08.01.2026 09:45
- CISA tags max severity HPE OneView flaw as actively exploited — www.bleepingcomputer.com — 08.01.2026 09:45