RondoDox edge and web exploitation

RondoDox is exploiting a wide set of public-facing flaws to turn routers, DVRs, NVRs, CCTV systems, web servers, and other network devices into botnet infrastructure. Trend Micro described the operation as an exploit-shotgun campaign spanning more than 30 vendors and more than 50 vulnerabilities. The distribution chain now includes a loader-as-a-service layer that bundles **RondoDox** with **Mirai/Morte** payloads. On June 15, 2025, Trend Micro detected an intrusion attempt that used **CVE-2023-1389** against **TP-Link Archer** routers. That activity sits inside the wider edge-device wave that started in May and broadened across hard-to-patch internet-exposed infrastructure. The operation later shifted into malware deployment against exposed **Next.js** servers by exploiting **CVE-2025-55182 (React2Shell)**. That chain dropped a coinminer, a botnet loader and health checker, and a **Mirai** variant, while enforcing persistence through **/etc/crontab** and removing competing malware. Public reporting put React2Shell exposure above **94,000 internet-exposed assets**, but available evidence does not quantify how many systems were compromised. Defenders are being pushed toward patching **CVE-2023-1389** and **CVE-2025-55182**, plus isolating exposed devices and checking for botnet persistence signs. Available evidence still does not quantify the full reach of the botnet or the final compromise total.