"Cybersecurity researchers have disclosed details of a persistent nine-month-long campaign that has targeted Internet of Things (IoT) devices and web applications to enroll them into a botnet known as RondoDox. As of December 2025, the activity has been observed leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) flaw as an initial access vector, CloudSEK said in an analysis. React2Shell is the name assigned to a critical security vulnerability in React Server Components (RSC) and Next.js that could allow unauthenticated attackers"
"The RondoDox botnet campaign is assessed to have gone through three distinct phases prior to the exploitation of CVE-2025-55182 - March - April 2025 - Initial reconnaissance and manual vulnerability scanning April - June 2025 - Daily mass vulnerability probing of web applications like WordPress, Drupal, and Struts2, and IoT devices like Wavlink routers July - early December 2025 - Hourly automated deployment on a large-scale"
A nine-month campaign targeted Internet of Things devices and web applications to enroll them into the RondoDox botnet. The campaign used the React2Shell (CVE-2025-55182, CVSS 10.0) vulnerability as an initial access vector and deployed cryptocurrency miners, a botnet loader/health checker, and a Mirai variant. Shadowserver reported about 90,300 vulnerable instances as of December 31, 2025, with 68,400 in the United States. RondoDox expanded its toolkit with N-day exploits such as CVE-2023-1389 and CVE-2025-24893 and progressed through reconnaissance, mass probing, and hourly automated deployment phases between March and December 2025.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]