HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Exploitation Wave
Summary
Hide ▲
Show ▼
RondoDox has driven a large-scale exploitation wave against HPE OneView by targeting CVE-2025-37164, with activity escalating into automated attacks that created immediate risk for exposed systems. The wave became especially concerning on 7 January 2026, when more than 40,000 attack attempts were recorded in a few hours. The flaw is a critical RCE and has already been added to CISA’s KEV catalog, underscoring the urgency for defenders.
Cases
Related Happenings
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation Wave
First: 04.05.2026 11:25
Last: 04.05.2026 11:25
Sources 1
About this happening:
Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
CPanel & WHM authentication-bypass exploitation wave (CVE-2026-41940)
Exploitation WaveAbout this happening: Active exploitation of **CVE-2026-41940** is driving a **large cPanel & WHM compromise wave**, putting exposed servers at risk of administrative takeover. **More than 40,000 serve...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
Campaign
First: 22.04.2026 23:04
Last: 22.04.2026 23:04
Sources 1
About this happening:
The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
Mirai-based CVE-2025-29635 D-Link DIR-823X botnet-enlistment campaign
CampaignAbout this happening: The **Mirai-based malware campaign** is **actively exploiting CVE-2025-29635** against **D-Link DIR-823X routers**, turning vulnerable devices into botnet nodes. The activity matt...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
Vulnerability
First: 20.04.2026 16:01
Last: 20.04.2026 16:01
Sources 1
About this happening:
The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
TBK DVR command injection flaw actively exploited (CVE-2024-3721)
VulnerabilityAbout this happening: The **CVE-2024-3721** command injection flaw in **TBK DVR systems** is being actively exploited to gain access and install **Nexcorium** malware. Attackers abuse **crafted request...
TP-Link router authenticated command injection (CVE-2023-33538)
Vulnerability
First: 20.04.2026 10:50
Last: 20.04.2026 10:50
Sources 1
About this happening:
**CVE-2023-33538** in **discontinued TP-Link routers** is still being probed, leaving exposed devices at risk of **arbitrary command execution** and **denial of service** if attac...
TP-Link router authenticated command injection (CVE-2023-33538)
VulnerabilityAbout this happening: **CVE-2023-33538** in **discontinued TP-Link routers** is still being probed, leaving exposed devices at risk of **arbitrary command execution** and **denial of service** if attac...
Windows zero-day exploitation wave
Exploitation Wave
First: 17.04.2026 09:14
Last: 17.04.2026 09:14
Sources 1
About this happening:
**BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Windows zero-day exploitation wave
Exploitation WaveAbout this happening: **BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Latest development: 23.04.2026 14:05
CISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.
Timeline
-
16.01.2026 11:15 2 articles · 4mo ago
HPE OneView RondoDox exploitation wave (CVE-2025-37164)
Initial DisclosureEarly activity in **December 2025** consisted of probing and initial exploitation attempts against **HPE OneView**. The campaign then escalated in **January 2026** into **botnet-driven automated exploitation** at scale.
Show sources
- RondoDox Botnet Targets HPE OneView Vulnerability in Exploitation Wave — www.infosecurity-magazine.com — 16.01.2026 11:15
- RondoDox Botnet Targets HPE OneView Vulnerability in Exploitation Wave — www.infosecurity-magazine.com — 16.01.2026 11:15