"A newly identified botnet takes a 'shotgun' approach to compromising devices, packing over 50 exploits targeting routers, servers, cameras, and other network products, Trend Micro reports. Dubbed RondoDox, the botnet began activities in mid-2025 and was associated with the exploitation of CVE-2023-1389, a command injection flaw in the WAN interface of TP-Link Archer AX21 routers that was disclosed at the Pwn2Own Toronto hacking contest in 2022."
"RondoDox targets a total of 56 vulnerabilities, including 18 that do not have a CVE identifier assigned. Most of these are command injection bugs and a subset of them was added to the US cybersecurity agency CISA's KEV list, which underlines the immediate need for patching. In late September, CloudSek warned of a 230% surge in the botnet's attacks since mid-2025, fueled by the exploitation of weak credentials, unsanitized input, and old CVEs."
RondoDox began operations in mid-2025 and initially exploited CVE-2023-1389 in TP-Link Archer AX21 routers. The botnet targets routers, DVRs, NVRs, CCTV systems, web servers, and other networking equipment from more than 30 vendors. RondoDox exploits a total of 56 vulnerabilities, including 18 without CVE identifiers, with most being command injection bugs. Several vulnerabilities were added to CISA’s KEV list, highlighting immediate patching needs. The botnet abuses weak credentials, unsanitized input, and old CVEs to compromise devices. Infected systems are used for cryptocurrency mining, DDoS attacks, and lateral movement into enterprise networks. Operators rotate infrastructure and distribute binaries alongside Mirai and Morte via loader-as-a-service.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]