RondoDox Botnet Campaign Exploiting Dozens of N-Day Vulnerabilities in Internet-Exposed Devices
The RondoDox botnet has emerged as a significant threat, actively targeting a wide array of internet-exposed infrastructure by exploiting over 50 known vulnerabilities, many of which were first disclosed during Pwn2Own hacking competitions. Security researchers from Trend Micro and FortiGuard Labs have observed the botnet leveraging an 'exploit shotgun' approach, simultaneously deploying numerous exploits to maximize infection rates across diverse device types. The campaign has been active globally since at least June 2025, with attacks focusing on routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and other network devices from more than 30 vendors. Notably, the botnet exploits both recent and older vulnerabilities, including CVE-2023-1389 in the TP-Link Archer AX21 Wi-Fi router, which was originally demonstrated at Pwn2Own Toronto 2022 and previously targeted by Mirai. The list of exploited vulnerabilities includes CVE-2024-3721, CVE-2024-12856, and many others affecting brands such as Digiever, QNAP, LB-LINK, TRENDnet, D-Link, TBK, Four-Faith, Netgear, AVTECH, TOTOLINK, Tenda, Meteobridge, Edimax, and Linksys. Many of these vulnerabilities are now included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for organizations to patch affected systems. Devices that have reached end-of-life are particularly at risk, as they are less likely to receive security updates, making them attractive targets for the botnet operators. The campaign exposes organizations to risks including data exfiltration, persistent network compromise, and operational disruption, especially for those with internet-facing infrastructure. Security experts recommend prioritizing the patching of all listed vulnerabilities, conducting regular vulnerability assessments, segmenting networks to limit lateral movement, and continuously monitoring for anomalous device activity. Trend Micro has indicated that its solutions provide protection against the vulnerabilities exploited by RondoDox, offering mitigation while patching is underway. The rapid weaponization of vulnerabilities demonstrated at Pwn2Own highlights the need for organizations to monitor disclosures from such competitions and act swiftly to secure their environments. The RondoDox botnet’s ability to quickly expand its arsenal of exploits demonstrates a high level of adaptability and threat actor sophistication. The campaign’s global reach and the diversity of targeted devices suggest that organizations across multiple sectors are at risk. The use of mass n-day exploitation, rather than relying solely on zero-day vulnerabilities, allows the botnet to compromise a large number of devices that may not be promptly patched. Security researchers emphasize the importance of defense-in-depth strategies to mitigate the impact of such widespread exploitation campaigns. The ongoing activity of RondoDox serves as a stark reminder of the persistent threat posed by botnets leveraging known vulnerabilities in widely deployed network devices.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Researchers disclose RondoDox targeting 56 flaws across 30+ device types
Trend Micro and other outlets reported that RondoDox was actively exploiting 56 vulnerabilities, including 38 CVEs and 18 unassigned command-injection flaws, across more than 30 vendors and device types worldwide. The disclosure emphasized the botnet's rapid weaponization of n-day and Pwn2Own-related vulnerabilities and prompted calls for urgent patching and exposure reduction.
RondoDox expands into a loader-as-a-service operation
Trend Micro reported that RondoDox later evolved beyond initial exploitation into a loader-as-a-service model. This expansion allowed payloads such as RondoDox and Mirai/Morte to be co-packaged, broadening the campaign's reach and impact.
RondoDox is first publicly described targeting TBK and Four-Faith devices
In mid-2025, RondoDox was first publicly described as exploiting TBK DVRs and Four-Faith routers via CVE-2024-3721 and CVE-2024-12856. The attacks were used to gain shell access and deploy multi-architecture payloads.
RondoDox campaign becomes active globally
Researchers reported that the RondoDox botnet has been active globally since June, targeting internet-exposed infrastructure. The campaign used an 'exploit shotgun' method to try many exploits across routers, DVRs, NVRs, CCTV systems, web servers, and other devices.
RondoDox begins exploiting CVE-2023-1389 in early activity
Trend Micro said early RondoDox activity was tied to exploitation of CVE-2023-1389 in TP-Link Archer AX21 routers. This showed the botnet rapidly weaponizing a vulnerability first disclosed through Pwn2Own.
Pwn2Own Toronto 2022 flaw later tied to RondoDox is disclosed
A vulnerability in the TP-Link Archer AX21 router, later tracked as CVE-2023-1389, was publicly demonstrated at Pwn2Own Toronto 2022. Trend Micro later linked early RondoDox activity to weaponization of this bug, highlighting the botnet's use of competition-disclosed flaws.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Researchers Warn RondoDox Botnet is Weaponizing Over 50 Flaws Across 30+ Vendors
thehackernews.com
Open sourceDozens of vulnerabilities targeted by massive RondoDox botnet
scworld.com
Open sourceRondoDox Botnet targets 56 flaws across 30+ device types worldwide
securityaffairs.com
Open sourceRondoDox Botnet: an 'Exploit Shotgun' for Edge Vulns
darkreading.com
Open sourceRondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits | Trend Micro (US)
trendmicro.com
Open sourceRondoDox botnet targets 56 n-day flaws in worldwide attacks
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
RondoDox Botnet Broadens Exploitation to 174 Vulnerabilities
**RondoDox** has expanded into a large-scale botnet campaign that targets **174 vulnerabilities** across a wide range of internet-exposed devices, with researchers observing up to **15,000 daily exploitation attempts**. Reporting based on **Bitsight** telemetry says the botnet, active since 2025 and built on a **Mirai** code base, is more focused than typical Mirai-derived operations: it is geared toward **denial-of-service activity** and supports **18 architectures**, enabling attacks against routers, DVRs, NVRs, CCTV systems, web servers, and other embedded or Linux-based hardware. Analysts mapped **148 exploits to CVEs**, identified **15 public PoCs without CVEs**, and found **11 exploits with no public PoC**, indicating active exploit collection and rapid weaponization of newly disclosed flaws. The campaign has evolved from earlier exploitation of **TP-Link Archer AX21** flaw `CVE-2023-1389` and later abuse of `CVE-2024-3721`, `CVE-2024-12856`, and the **React2Shell** issue `CVE-2025-55182` affecting **Next.js** servers. Researchers also reported that the operators use **residential IP infrastructure** and traffic patterns that mimic gaming or VPN services to reduce detection, while showing the ability to deploy some exploits within days of disclosure and, in at least one case, exploit `CVE-2025-62593` before its CVE record was formally published. This activity reflects a sustained, strategically managed botnet operation rather than opportunistic scanning, with broad exploit coverage and infrastructure choices designed to improve reach and resilience.
Mar 22, 2026
RondoDox Botnet Exploits Critical Asus Router RCE for Root Access
Researchers reported that the **RondoDox** botnet is actively exploiting `CVE-2018-5999`, a critical remote code execution flaw in Asus routers that lets unauthenticated attackers gain **root access**. VulnCheck said it observed in-the-wild exploitation beginning on May 17, marking the first known real-world abuse of the 2018 vulnerability even though public exploit code has been available for years. The flaw affects widely deployed consumer routers, with more than 1 million Asus devices believed to be exposed online. RondoDox, a Linux-focused botnet first seen in mid-2025 and often described as a **Mirai** variant, uses multi-stage mass exploitation against end-of-life and IoT devices, frequently chaining older embedded-device CVEs before deploying malware and connecting to command-and-control infrastructure. Researchers said the botnet is primarily used for denial-of-service attacks and appears to rely on compromised residential IP addresses for hosting, suggesting its operators closely track vulnerability disclosures and rapidly weaponize older flaws in consumer networking gear.
May 26, 2026
Mirai Variant Exploits Multiple IoT Flaws to Expand Botnet Infections
Palo Alto Networks Unit 42 reported that a new **Mirai** campaign is targeting internet-exposed IoT devices by chaining multiple known exploits to compromise systems and pull them into a botnet. The activity focuses on broad opportunistic scanning and exploitation, continuing Mirai’s long-running pattern of abusing weakly secured embedded devices such as routers, cameras, and other Linux-based appliances. The campaign’s significance lies in its use of several IoT vulnerabilities rather than a single flaw, increasing the number of devices that can be infected and used for follow-on malicious activity such as distributed denial-of-service (**DDoS**) attacks. The report highlights the ongoing risk from unpatched and publicly reachable IoT infrastructure, underscoring the need for rapid patching, exposure reduction, and stronger hardening of embedded systems connected to the internet.
May 25, 2026