RondoDox Botnet Campaign Exploiting Dozens of N-Day Vulnerabilities in Internet-Exposed Devices
The RondoDox botnet has emerged as a significant threat, actively targeting a wide array of internet-exposed infrastructure by exploiting over 50 known vulnerabilities, many of which were first disclosed during Pwn2Own hacking competitions. Security researchers from Trend Micro and FortiGuard Labs have observed the botnet leveraging an 'exploit shotgun' approach, simultaneously deploying numerous exploits to maximize infection rates across diverse device types. The campaign has been active globally since at least June 2025, with attacks focusing on routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and other network devices from more than 30 vendors. Notably, the botnet exploits both recent and older vulnerabilities, including CVE-2023-1389 in the TP-Link Archer AX21 Wi-Fi router, which was originally demonstrated at Pwn2Own Toronto 2022 and previously targeted by Mirai. The list of exploited vulnerabilities includes CVE-2024-3721, CVE-2024-12856, and many others affecting brands such as Digiever, QNAP, LB-LINK, TRENDnet, D-Link, TBK, Four-Faith, Netgear, AVTECH, TOTOLINK, Tenda, Meteobridge, Edimax, and Linksys. Many of these vulnerabilities are now included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for organizations to patch affected systems. Devices that have reached end-of-life are particularly at risk, as they are less likely to receive security updates, making them attractive targets for the botnet operators. The campaign exposes organizations to risks including data exfiltration, persistent network compromise, and operational disruption, especially for those with internet-facing infrastructure. Security experts recommend prioritizing the patching of all listed vulnerabilities, conducting regular vulnerability assessments, segmenting networks to limit lateral movement, and continuously monitoring for anomalous device activity. Trend Micro has indicated that its solutions provide protection against the vulnerabilities exploited by RondoDox, offering mitigation while patching is underway. The rapid weaponization of vulnerabilities demonstrated at Pwn2Own highlights the need for organizations to monitor disclosures from such competitions and act swiftly to secure their environments. The RondoDox botnet’s ability to quickly expand its arsenal of exploits demonstrates a high level of adaptability and threat actor sophistication. The campaign’s global reach and the diversity of targeted devices suggest that organizations across multiple sectors are at risk. The use of mass n-day exploitation, rather than relying solely on zero-day vulnerabilities, allows the botnet to compromise a large number of devices that may not be promptly patched. Security researchers emphasize the importance of defense-in-depth strategies to mitigate the impact of such widespread exploitation campaigns. The ongoing activity of RondoDox serves as a stark reminder of the persistent threat posed by botnets leveraging known vulnerabilities in widely deployed network devices.
Sources
1 more from sources like bleeping computer
Related Stories
RondoDox Botnet Broadens Exploitation to 174 Vulnerabilities
**RondoDox** has expanded into a large-scale botnet campaign that targets **174 vulnerabilities** across a wide range of internet-exposed devices, with researchers observing up to **15,000 daily exploitation attempts**. Reporting based on **Bitsight** telemetry says the botnet, active since 2025 and built on a **Mirai** code base, is more focused than typical Mirai-derived operations: it is geared toward **denial-of-service activity** and supports **18 architectures**, enabling attacks against routers, DVRs, NVRs, CCTV systems, web servers, and other embedded or Linux-based hardware. Analysts mapped **148 exploits to CVEs**, identified **15 public PoCs without CVEs**, and found **11 exploits with no public PoC**, indicating active exploit collection and rapid weaponization of newly disclosed flaws. The campaign has evolved from earlier exploitation of **TP-Link Archer AX21** flaw `CVE-2023-1389` and later abuse of `CVE-2024-3721`, `CVE-2024-12856`, and the **React2Shell** issue `CVE-2025-55182` affecting **Next.js** servers. Researchers also reported that the operators use **residential IP infrastructure** and traffic patterns that mimic gaming or VPN services to reduce detection, while showing the ability to deploy some exploits within days of disclosure and, in at least one case, exploit `CVE-2025-62593` before its CVE record was formally published. This activity reflects a sustained, strategically managed botnet operation rather than opportunistic scanning, with broad exploit coverage and infrastructure choices designed to improve reach and resilience.
TodayShadowV2 Mirai-Based Botnet Exploits IoT Vulnerabilities During AWS Outage
A new Mirai-based botnet variant named **ShadowV2** was observed exploiting a major AWS outage in October to infect IoT devices across 28 countries. Security researchers at Fortinet’s FortiGuard Labs reported that ShadowV2 leveraged at least eight known vulnerabilities in devices from vendors such as D-Link, TP-Link, DD-WRT, DigiEver, and TBK. The botnet propagated rapidly during the day-long AWS disruption, targeting routers, NAS devices, and DVRs in sectors including government, technology, manufacturing, telecommunications, education, and managed security service providers. The attackers used a downloader script (`binary.sh`) to deliver the malware, which then connected to command-and-control infrastructure to receive further instructions. The campaign appeared to be a test run, as the botnet was only active during the AWS outage and did not persist beyond that period. Notably, some of the exploited vulnerabilities, such as `CVE-2024-10914` and `CVE-2024-10915`, affect end-of-life D-Link devices for which no patches are available, leaving many systems permanently exposed. D-Link updated its advisories to warn users about the risks to unsupported devices, while TP-Link addressed one of the flaws with a beta firmware update. The ShadowV2 botnet’s global reach and ability to exploit multiple unpatched IoT vulnerabilities highlight the ongoing risks posed by insecure and unsupported connected devices, especially during periods of widespread internet infrastructure disruption.
3 months agoOperation Zero Disco: Exploitation of Cisco SNMP Vulnerability CVE-2025-20352 for Rootkit Deployment
Attackers launched a coordinated campaign known as Operation Zero Disco, exploiting a critical vulnerability in Cisco's Simple Network Management Protocol (SNMP), identified as CVE-2025-20352. This vulnerability enables remote code execution (RCE) on affected Cisco switches, allowing threat actors to implant persistent Linux rootkits. The primary targets of this operation were Cisco 9400, 9300, and legacy 3750G series switches, particularly those running older Linux systems lacking modern endpoint detection and response (EDR) solutions. Attackers leveraged the SNMP flaw to gain unauthorized access, set universal passwords, and install hooks directly into the IOSd memory space, ensuring deep persistence and evasion from standard security monitoring. In addition to exploiting CVE-2025-20352, the attackers attempted to leverage a modified Telnet vulnerability, based on the older CVE-2017-3881, to further enable memory access and expand their foothold. The operation was characterized by the use of spoofed IP addresses and Mac email accounts to obfuscate the origin of the attacks and complicate attribution. Security researchers observed that the rootkits deployed were specifically designed to hide malicious activity and resist blue-team investigation, making detection and remediation more challenging. The campaign highlighted the risks associated with unpatched or unsupported network infrastructure, especially in environments where legacy devices are still in operation. Trend Micro's research emphasized the importance of advanced threat detection solutions, such as Trend Cloud One Network Security and Deep Discovery Inspector, which can identify Cisco-specific exploits and malicious controller communications. These tools utilize extended detection and response (XDR) capabilities and virtual patching to mitigate risks in hybrid cloud and traditional network environments. The incident underscores the need for organizations to promptly apply security advisories, update device firmware, and implement network segmentation to limit the impact of such exploits. Cisco's advisory on CVE-2025-20352 provided technical details and mitigation steps, but the operation demonstrated that attackers are quick to weaponize newly disclosed vulnerabilities. The use of rootkits on network devices represents a significant escalation in attacker sophistication, as it allows for long-term persistence and potential lateral movement within compromised environments. The campaign also serves as a warning for organizations relying on legacy hardware, which may not receive timely security updates or support. Security teams are advised to monitor for unusual SNMP activity, unauthorized configuration changes, and signs of rootkit installation on network devices. The Operation Zero Disco campaign is a stark reminder of the evolving threat landscape targeting network infrastructure and the critical importance of proactive vulnerability management.
5 months ago