Check Point Research has identified a coordinated attack campaign targeting CVE-2025-37164, a critical vulnerability in HPE OneView. The RondoDox botnet is escalating from early reconnaissance to large-scale, automated attacks. Check Point has already blocked tens of thousands of exploitation attempts.
The wave of attacks came quickly after the vulnerability was published. On December 16, 2025, Hewlett Packard Enterprise published an advisory on CVE-2025-37164, a critical remote code execution vulnerability in HPE OneView. The vulnerability received the highest CVE score and allows unauthenticated attackers to execute code directly.
Check Point deployed emergency protection via its Quantum Intrusion Prevention System on December 21. That same evening, they detected the first exploitation attempts. What started as simple proof-of-concept attempts quickly escalated into something much bigger.
Dramatic escalation to 40,000 attacks
On January 7, 2026, activity increased explosively. Between 05:45 and 09:20 UTC, Check Point Research recorded more than 40,000 attack attempts. The analyses point to automated, botnet-driven exploitation. Check Point attributes this activity to the RondoDox botnet based on a distinctive user-agent string and the observed commands.
The RondoDox botnet targets IoT devices and web servers, carrying out distributed DDoS attacks and cryptocurrency mining. The botnet was publicly identified for the first time in mid-2025. Check Point saw RondoDox actively exploiting high-profile vulnerabilities, including the React2Shell CVE-2025-55182 from December.
The exploitation of CVE-2025-37164 follows on directly from this. The vulnerability is in the executeCommand REST API endpoint of the id-pools functionality. The endpoint accepts input from attackers without authentication or authorization checks and executes it directly via the underlying operating system’s runtime.
Dutch IP address central to attacks
Most of the observed activity came from a single Dutch IP address that has been widely reported online as suspicious. Check Point confirms that this threat actor is very active. The campaign affected organizations in multiple sectors. Government organizations suffered the most attacks, followed by financial services and industrial manufacturing.
Globally, the United States accounted for the highest volume of attacks. Australia, France, Germany, and Austria followed. Check Point reported the campaign to CISA on January 7. That same day, the vulnerability was added to the Known Exploited Vulnerabilities (KEV) catalog.