HPE iLO 4 should never be connected directly to the Internet
Exposing a remote administration tool like iLO 4 to the Internet is never a good thing to do. These tools should only be accessible via secure VPNs in order to prevent them from being scanned for and accessed by anyone on the Internet.
The danger of exposing iLO 4 to the public is further compounded when their are
known vulnerabilities in older versions that would allow an attacker to bypass authentication, execute commands, and add new administrator accounts. Scripts that exploit these vulnerabilities are also readily available.
Finding connected iLO 4 devices is also trivial. A quick search on Shodan shows that over 5,000 iLO 4 devices are connected to the Internet, with many of them being known vulnerable versions.