top of page
Search

React2Shell Vulnerability Exploited by RondoDox Botnet for Malware and Cryptojacking Attacks

  • Jan 1
  • 2 min read

Key Findings


  • The RondoDox botnet is exploiting the critical React2Shell vulnerability (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers.

  • The RondoDox botnet has been active since 2024 and has evolved through three phases: reconnaissance and vulnerability testing, automated web application exploitation, and large-scale IoT botnet deployment.

  • The botnet now runs hourly IoT exploitation waves targeting routers from vendors like Linksys and Wavlink, deploying payloads including a cryptominer, a botnet loader and health checker, and a Mirai variant.

  • The attack campaign has been observed launching over 40 exploit attempts against the React2Shell flaw in a six-day period.


Background


Active since 2024, the RondoDox botnet uses custom libraries and mimics gaming or VPN traffic to evade detection. In July 2024, FortiGuard Labs first spotted the botnet exploiting CVE-2024-3721 and CVE-2024-12856. In October 2025, Trend Micro researchers reported that RondoDox exploits 56 known flaws in over 30 device types, including DVRs, NVRs, CCTV systems, and web servers.


React2Shell Vulnerability


The React2Shell vulnerability (CVE-2025-55182) is a critical pre-authentication remote code execution flaw in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0. The vulnerability allows unauthenticated attackers to execute arbitrary code by exploiting unsafe payload decoding in Server Function endpoints.


RondoDox Botnet Campaign


  • March - April 2025: Initial reconnaissance and manual vulnerability scanning

  • April - June 2025: Daily mass vulnerability probing of web applications and IoT devices

  • July - early December 2025: Hourly automated deployment on a large-scale

  • December 2025: Scanning for vulnerable Next.js servers and deploying malicious payloads, including a cryptominer, a botnet loader and health checker, and a Mirai variant


Defensive Recommendations


  • Urgently audit Next.js apps, especially Server Actions, and apply patches or temporary disablement

  • Isolate and harden IoT devices, deploy Web Application Firewalls (WAFs), and block known C2 infrastructure

  • Enhance network and behavioral monitoring, enforce zero-trust access for admin interfaces, and maintain continuous vulnerability and patch management with threat intelligence and regular testing.


Sources


  • https://securityaffairs.com/186386/uncategorized/react2shell-under-attack-rondodox-botnet-spreads-miners-and-malware.html

  • https://thehackernews.com/2026/01/rondodox-botnet-exploits-critical.html

Recent Posts

See All
Defeating AI with AI

Key Findings Generative AI and agentic AI are increasingly used by threat actors to conduct faster and more targeted attacks. One capability that AI improves for threat actors is the ability to profil

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page