RondoDox Botnet Broadens Exploitation to 174 Vulnerabilities
RondoDox has expanded into a large-scale botnet campaign that targets 174 vulnerabilities across a wide range of internet-exposed devices, with researchers observing up to 15,000 daily exploitation attempts. Reporting based on Bitsight telemetry says the botnet, active since 2025 and built on a Mirai code base, is more focused than typical Mirai-derived operations: it is geared toward denial-of-service activity and supports 18 architectures, enabling attacks against routers, DVRs, NVRs, CCTV systems, web servers, and other embedded or Linux-based hardware. Analysts mapped 148 exploits to CVEs, identified 15 public PoCs without CVEs, and found 11 exploits with no public PoC, indicating active exploit collection and rapid weaponization of newly disclosed flaws.
The campaign has evolved from earlier exploitation of TP-Link Archer AX21 flaw CVE-2023-1389 and later abuse of CVE-2024-3721, CVE-2024-12856, and the React2Shell issue CVE-2025-55182 affecting Next.js servers. Researchers also reported that the operators use residential IP infrastructure and traffic patterns that mimic gaming or VPN services to reduce detection, while showing the ability to deploy some exploits within days of disclosure and, in at least one case, exploit CVE-2025-62593 before its CVE record was formally published. This activity reflects a sustained, strategically managed botnet operation rather than opportunistic scanning, with broad exploit coverage and infrastructure choices designed to improve reach and resilience.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
BitSight reports residential IP infrastructure and revised C2 assessment
In findings published in March 2026, BitSight reported that RondoDox used compromised residential IP addresses in multiple countries to host malware payloads, including repurposed home devices such as UniFi Protect, Control4 systems, and a TCL Android TV. The researchers also concluded that earlier public claims were inaccurate and that the botnet relied on traditional command-and-control infrastructure rather than a loader-as-a-service panel or peer-to-peer C2.
BitSight observes campaign through mid-February with 174 flaws and 15,000 daily attempts
By 2026-02-16, BitSight's observation window showed RondoDox had targeted 174 vulnerabilities across 18 system architectures and generated up to 15,000 exploitation attempts per day. Despite the scale and adaptability of the campaign, researchers noted inconsistent exploit implementation reduced overall effectiveness.
RondoDox narrows to a highly selective exploitation strategy
By early January 2026, RondoDox had reduced its active focus to only two vulnerabilities, marking a shift away from broad scanning toward more selective, higher-value targeting. Researchers assessed this as a significant evolution in the campaign's operational approach.
RondoDox reaches peak breadth of daily vulnerability targeting
In October 2025, the botnet hit its widest daily spread, targeting 49 distinct vulnerabilities in a single day. This reflected its earlier shotgun-style strategy of testing many flaws across DVRs, NVRs, CCTV systems, routers, web servers, and other devices.
RondoDox botnet first detected launching exploitation campaign
BitSight observed the newly tracked RondoDox botnet begin a sustained exploitation campaign on 2025-05-25. The Mirai-derived botnet focused on denial-of-service activity and started probing a broad range of internet-exposed devices and services.
RondoDox rapidly weaponizes newly disclosed vulnerabilities
During 2025, researchers found RondoDox operators quickly added newly disclosed flaws to their arsenal, including React2Shell (CVE-2025-55182) and CVE-2025-62593, sometimes within days or weeks of disclosure. In one case, the botnet exploited a vulnerability before its formal public publication because a proof-of-concept was already available.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
RondoDox botnet intrusions become more focused, report finds | brief | SC Media
scworld.com
Open sourceRondoDox botnet expands arsenal targeting 174 flaws, and hits 15,000 daily exploit attempts
securityaffairs.com
Open sourceRondoDox Botnet Expands to 174 Exploits, Leveraging Residential IP Infrastructure at Scale - Cyber Security News
cybersecuritynews.com
Open sourceRondoDox Botnet: From Zero to 174 Exploited Vulnerabilities | Bitsight
bitsight.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
RondoDox Botnet Campaign Exploiting Dozens of N-Day Vulnerabilities in Internet-Exposed Devices
The RondoDox botnet has emerged as a significant threat, actively targeting a wide array of internet-exposed infrastructure by exploiting over 50 known vulnerabilities, many of which were first disclosed during Pwn2Own hacking competitions. Security researchers from Trend Micro and FortiGuard Labs have observed the botnet leveraging an 'exploit shotgun' approach, simultaneously deploying numerous exploits to maximize infection rates across diverse device types. The campaign has been active globally since at least June 2025, with attacks focusing on routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and other network devices from more than 30 vendors. Notably, the botnet exploits both recent and older vulnerabilities, including CVE-2023-1389 in the TP-Link Archer AX21 Wi-Fi router, which was originally demonstrated at Pwn2Own Toronto 2022 and previously targeted by Mirai. The list of exploited vulnerabilities includes CVE-2024-3721, CVE-2024-12856, and many others affecting brands such as Digiever, QNAP, LB-LINK, TRENDnet, D-Link, TBK, Four-Faith, Netgear, AVTECH, TOTOLINK, Tenda, Meteobridge, Edimax, and Linksys. Many of these vulnerabilities are now included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for organizations to patch affected systems. Devices that have reached end-of-life are particularly at risk, as they are less likely to receive security updates, making them attractive targets for the botnet operators. The campaign exposes organizations to risks including data exfiltration, persistent network compromise, and operational disruption, especially for those with internet-facing infrastructure. Security experts recommend prioritizing the patching of all listed vulnerabilities, conducting regular vulnerability assessments, segmenting networks to limit lateral movement, and continuously monitoring for anomalous device activity. Trend Micro has indicated that its solutions provide protection against the vulnerabilities exploited by RondoDox, offering mitigation while patching is underway. The rapid weaponization of vulnerabilities demonstrated at Pwn2Own highlights the need for organizations to monitor disclosures from such competitions and act swiftly to secure their environments. The RondoDox botnet’s ability to quickly expand its arsenal of exploits demonstrates a high level of adaptability and threat actor sophistication. The campaign’s global reach and the diversity of targeted devices suggest that organizations across multiple sectors are at risk. The use of mass n-day exploitation, rather than relying solely on zero-day vulnerabilities, allows the botnet to compromise a large number of devices that may not be promptly patched. Security researchers emphasize the importance of defense-in-depth strategies to mitigate the impact of such widespread exploitation campaigns. The ongoing activity of RondoDox serves as a stark reminder of the persistent threat posed by botnets leveraging known vulnerabilities in widely deployed network devices.
Mar 21, 2026
RondoDox Botnet Exploits Critical Asus Router RCE for Root Access
Researchers reported that the **RondoDox** botnet is actively exploiting `CVE-2018-5999`, a critical remote code execution flaw in Asus routers that lets unauthenticated attackers gain **root access**. VulnCheck said it observed in-the-wild exploitation beginning on May 17, marking the first known real-world abuse of the 2018 vulnerability even though public exploit code has been available for years. The flaw affects widely deployed consumer routers, with more than 1 million Asus devices believed to be exposed online. RondoDox, a Linux-focused botnet first seen in mid-2025 and often described as a **Mirai** variant, uses multi-stage mass exploitation against end-of-life and IoT devices, frequently chaining older embedded-device CVEs before deploying malware and connecting to command-and-control infrastructure. Researchers said the botnet is primarily used for denial-of-service attacks and appears to rely on compromised residential IP addresses for hosting, suggesting its operators closely track vulnerability disclosures and rapidly weaponize older flaws in consumer networking gear.
May 26, 2026
Mirai Variant Exploits Multiple IoT Flaws to Expand Botnet Infections
Palo Alto Networks Unit 42 reported that a new **Mirai** campaign is targeting internet-exposed IoT devices by chaining multiple known exploits to compromise systems and pull them into a botnet. The activity focuses on broad opportunistic scanning and exploitation, continuing Mirai’s long-running pattern of abusing weakly secured embedded devices such as routers, cameras, and other Linux-based appliances. The campaign’s significance lies in its use of several IoT vulnerabilities rather than a single flaw, increasing the number of devices that can be infected and used for follow-on malicious activity such as distributed denial-of-service (**DDoS**) attacks. The report highlights the ongoing risk from unpatched and publicly reachable IoT infrastructure, underscoring the need for rapid patching, exposure reduction, and stronger hardening of embedded systems connected to the internet.
May 25, 2026