RondoDox botnet exploits the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers.
CloudSEK researchers warn that the RondoDox botnet is exploiting the critical React2Shell flaw (CVE-2025-55182) to drop malware and cryptominers on vulnerable Next.js servers.
“CloudSEK’s report details a persistent nine-month RondoDoX botnet campaign targeting IoT devices and web applications. Recently, the threat actors have shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like “React2Shell” and cryptominers.” reads the report published by CloudSEK. “This analysis offers crucial insights into their evolving infrastructure and provides defensive recommendations to mitigate these sophisticated attacks.”
In July, FortiGuard Labs first spotted the RondoDox botnet that was exploiting CVE-2024-3721 and CVE-2024-12856. Active since 2024, it uses custom libraries and mimics gaming or VPN traffic to evade detection.
In October, Trend Micro researchers reported that the RondoDox botnet exploits 56 known flaws in over 30 device types, including DVRs, NVRs, CCTV systems, and web servers, active globally since June.
Experts noted that the latest RondoDox campaign adopts an “exploit shotgun” approach, firing multiple exploits to see which succeed.
Meta React Server Components flaw CVE-2025-55182 (CVSS Score of 10.0) is a pre-authentication remote code execution vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The flaw comes from the code deserializing data from HTTP requests to Server Function endpoints without proper safety checks.
The researcher Lachlan Davidson reported the security vulnerability in React on November 29th. He explained that unsafe payload decoding in Server Function endpoints allows unauthenticated code execution. Apps using React Server Components may be exposed even without Server Function endpoints.
CloudSEK reports that the RondoDox botnet began scanning for vulnerable Next.js servers on December 8 and started deploying botnet clients three days later. In 2025, RondoDox evolved through three phases: reconnaissance and vulnerability testing (March–April), automated web application exploitation (April–June), and large-scale IoT botnet deployment from July onward.
Recently, it has heavily exploited the React2Shell flaw, launching over 40 exploit attempts in six days. The botnet now runs hourly IoT exploitation waves targeting routers from vendors like Linksys and Wavlink. Deployed payloads include a cryptominer, a botnet loader and health checker, and a Mirai variant.
The guidance recommends urgent audits of Next.js apps, especially Server Actions, with immediate patching or temporary disablement. It stresses isolating and hardening IoT devices, deploying WAF protections, blocking known C2 infrastructure, and enhancing network and behavioral monitoring. Additional measures include enforcing zero-trust access for admin interfaces and maintaining continuous vulnerability and patch management with threat intelligence and regular testing.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, botnet)
