RondoDox Botnet Exploits Critical Asus Router RCE for Root Access
Researchers reported that the RondoDox botnet is actively exploiting CVE-2018-5999, a critical remote code execution flaw in Asus routers that lets unauthenticated attackers gain root access. VulnCheck said it observed in-the-wild exploitation beginning on May 17, marking the first known real-world abuse of the 2018 vulnerability even though public exploit code has been available for years. The flaw affects widely deployed consumer routers, with more than 1 million Asus devices believed to be exposed online.
RondoDox, a Linux-focused botnet first seen in mid-2025 and often described as a Mirai variant, uses multi-stage mass exploitation against end-of-life and IoT devices, frequently chaining older embedded-device CVEs before deploying malware and connecting to command-and-control infrastructure. Researchers said the botnet is primarily used for denial-of-service attacks and appears to rely on compromised residential IP addresses for hosting, suggesting its operators closely track vulnerability disclosures and rapidly weaponize older flaws in consumer networking gear.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers publicly report RondoDox attacks on Asus routers
On May 22, 2026, reporting disclosed that RondoDox was exploiting CVE-2018-5999 in Asus routers at scale. The coverage also highlighted the botnet's use of older embedded-device CVEs, compromised residential IPs, and likely monitoring of vulnerability disclosures to weaponize flaws quickly.
VulnCheck observes RondoDox exploiting CVE-2018-5999
VulnCheck began observing in-the-wild exploitation of CVE-2018-5999 by the RondoDox botnet on May 17, 2026. Researchers said this was the first known active exploitation of the long-public Asus router vulnerability.
F5 Labs begins tracking RondoDox exploiting multiple IoT vulnerabilities
F5 Labs reported tracking the RondoDox threat actor since July 15, 2025 as it targeted IoT and other Linux-based devices using numerous command-injection and remote-code-execution exploits. The researchers documented its limited set of distribution IPs, rotating rondo.XXX.sh first-stage scripts, architecture-specific payloads, and indicators including the email address bang2012@tutanota.de.
RondoDox botnet first observed in the wild
Researchers first saw the Linux-focused RondoDox botnet in mid-2025. It was described as a Mirai variant that targets end-of-life and IoT devices using multi-stage exploitation.
Public exploit code for CVE-2018-5999 becomes available
Exploit code for CVE-2018-5999, a critical remote code execution flaw in Asus routers allowing unauthenticated root access, was publicly available in 2018. Despite this, no real-world exploitation had been reported for years.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
RondoDox botnet exploits old ASUS router vulnerability | brief | SC Media
scworld.com
Open sourceRondoDox Botnet Exploits 2018 Flaw in Asus Routers
govinfosecurity.com
Open sourceRondoDox Botnet Exploits 2018 Flaw in Asus Routers
bankinfosecurity.com
Open source🚨 New to VulnCheck KEV: CVE-2018-5999 (ASUS Routers), First Observed ITW via RondoDox On May 17, the VulnCheck Canary Network observed exploitation of CVE-2018-5999, an unauthenticated… | Jacob Baines
linkedin.com
Open sourceTracking RondoDox: Malware Exploiting Many IoT Vulnerabilities | F5 Labs
f5.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
RondoDox Botnet Broadens Exploitation to 174 Vulnerabilities
**RondoDox** has expanded into a large-scale botnet campaign that targets **174 vulnerabilities** across a wide range of internet-exposed devices, with researchers observing up to **15,000 daily exploitation attempts**. Reporting based on **Bitsight** telemetry says the botnet, active since 2025 and built on a **Mirai** code base, is more focused than typical Mirai-derived operations: it is geared toward **denial-of-service activity** and supports **18 architectures**, enabling attacks against routers, DVRs, NVRs, CCTV systems, web servers, and other embedded or Linux-based hardware. Analysts mapped **148 exploits to CVEs**, identified **15 public PoCs without CVEs**, and found **11 exploits with no public PoC**, indicating active exploit collection and rapid weaponization of newly disclosed flaws. The campaign has evolved from earlier exploitation of **TP-Link Archer AX21** flaw `CVE-2023-1389` and later abuse of `CVE-2024-3721`, `CVE-2024-12856`, and the **React2Shell** issue `CVE-2025-55182` affecting **Next.js** servers. Researchers also reported that the operators use **residential IP infrastructure** and traffic patterns that mimic gaming or VPN services to reduce detection, while showing the ability to deploy some exploits within days of disclosure and, in at least one case, exploit `CVE-2025-62593` before its CVE record was formally published. This activity reflects a sustained, strategically managed botnet operation rather than opportunistic scanning, with broad exploit coverage and infrastructure choices designed to improve reach and resilience.
Mar 22, 2026
RondoDox Botnet Campaign Exploiting Dozens of N-Day Vulnerabilities in Internet-Exposed Devices
The RondoDox botnet has emerged as a significant threat, actively targeting a wide array of internet-exposed infrastructure by exploiting over 50 known vulnerabilities, many of which were first disclosed during Pwn2Own hacking competitions. Security researchers from Trend Micro and FortiGuard Labs have observed the botnet leveraging an 'exploit shotgun' approach, simultaneously deploying numerous exploits to maximize infection rates across diverse device types. The campaign has been active globally since at least June 2025, with attacks focusing on routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and other network devices from more than 30 vendors. Notably, the botnet exploits both recent and older vulnerabilities, including CVE-2023-1389 in the TP-Link Archer AX21 Wi-Fi router, which was originally demonstrated at Pwn2Own Toronto 2022 and previously targeted by Mirai. The list of exploited vulnerabilities includes CVE-2024-3721, CVE-2024-12856, and many others affecting brands such as Digiever, QNAP, LB-LINK, TRENDnet, D-Link, TBK, Four-Faith, Netgear, AVTECH, TOTOLINK, Tenda, Meteobridge, Edimax, and Linksys. Many of these vulnerabilities are now included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency for organizations to patch affected systems. Devices that have reached end-of-life are particularly at risk, as they are less likely to receive security updates, making them attractive targets for the botnet operators. The campaign exposes organizations to risks including data exfiltration, persistent network compromise, and operational disruption, especially for those with internet-facing infrastructure. Security experts recommend prioritizing the patching of all listed vulnerabilities, conducting regular vulnerability assessments, segmenting networks to limit lateral movement, and continuously monitoring for anomalous device activity. Trend Micro has indicated that its solutions provide protection against the vulnerabilities exploited by RondoDox, offering mitigation while patching is underway. The rapid weaponization of vulnerabilities demonstrated at Pwn2Own highlights the need for organizations to monitor disclosures from such competitions and act swiftly to secure their environments. The RondoDox botnet’s ability to quickly expand its arsenal of exploits demonstrates a high level of adaptability and threat actor sophistication. The campaign’s global reach and the diversity of targeted devices suggest that organizations across multiple sectors are at risk. The use of mass n-day exploitation, rather than relying solely on zero-day vulnerabilities, allows the botnet to compromise a large number of devices that may not be promptly patched. Security researchers emphasize the importance of defense-in-depth strategies to mitigate the impact of such widespread exploitation campaigns. The ongoing activity of RondoDox serves as a stark reminder of the persistent threat posed by botnets leveraging known vulnerabilities in widely deployed network devices.
Mar 21, 2026
Persistent SSH Backdoor Compromises Thousands of Asus Routers
GreyNoise reported that a stealthy campaign dubbed **AyySSHush** compromised more than 9,000 internet-exposed Asus routers by exploiting authentication weaknesses and `CVE-2023-39780`, then establishing persistence without deploying conventional malware. The attackers enabled SSH on TCP port `53282`, inserted their own public key for remote access, and stored the configuration in NVRAM so the backdoor survives reboots and standard firmware upgrades. Researchers said the operation was unusually quiet and targeted, with GreyNoise observing only a few dozen malicious HTTP POST requests over several months, while the attackers also disabled logging and Asus **AiProtection** to reduce the chance of detection. Asus released firmware updates to address the documented vulnerability and undocumented login bypasses, but devices already compromised require manual cleanup or a full factory reset because upgrading firmware alone does not remove the implanted SSH access. The incident echoes earlier large-scale router compromises such as **VPNFilter**, the sophisticated botnet that infected hundreds of thousands of routers and NAS devices, used modular malware, and raised fears of disruptive operations tied to Ukraine; together, the cases underscore how edge devices can be quietly converted into durable footholds for botnet activity and potential follow-on attacks.
May 25, 2026