Ethical Hacking News
The RondoDox botnet has been identified exploiting the critical React2Shell flaw (CVE-2025-55182) to compromise vulnerable Next.js servers. This malicious activity poses a significant threat to organizations and highlights the importance of prioritizing the security and patching of Next.js servers.
The RondoDox botnet is exploiting a critical vulnerability known as React2Shell (CVE-2025-55182) in Next.js servers. React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request. North Korean hackers and other threat actors have been using the flaw to breach multiple organizations. RondoDox has scanned for vulnerable Next.js servers since December 8 and deployed botnet clients three days later. The botnet has conducted hourly IoT exploitation waves targeting consumer and enterprise routers. CloudSEK provides recommendations for companies to protect against RondoDox activity, including auditing and patching Next.js Server Actions. Over 94,000 internet-exposed assets are vulnerable to React2Shell as of December 30.
The RondoDox botnet, a large-scale cyberattack entity, has been identified exploiting a critical vulnerability known as React2Shell (CVE-2025-55182) to compromise vulnerable Next.js servers. This malicious activity was first documented by Fortinet in July 2025 and has since been observed by various cybersecurity organizations.
React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request, affecting all frameworks that implement the React Server Components (RSC) 'Flight' protocol, including Next.js. The flaw has been leveraged by several threat actors to breach multiple organizations, with North Korean hackers being among them.
In November 2025, VulnCheck spotted new RondoDox variants featuring exploits for CVE-2025-24893, a critical remote code execution (RCE) vulnerability in the XWiki Platform. This further highlights the severity of the React2Shell flaw and its impact on multiple organizations.
CloudSEK, a cybersecurity company, has reported that RondoDox started scanning for vulnerable Next.js servers on December 8 and began deploying botnet clients three days later. The researchers also note that RondoDox has passed through three distinct operational phases this year:
1. Reconnaissance and vulnerability testing from March to April 2025
2. Automated web app exploitation from April to June 2025
3. Large-scale IoT botnet deployment from July to the present
During its recent operational phase, RondoDox conducted hourly IoT exploitation waves targeting Linksys, Wavlink, and other consumer and enterprise routers to enroll new bots. After probing potentially vulnerable servers, CloudSEK reports that RondoDox started deploying payloads that included a coinminer (/nuts/poop), a botnet loader and health checker (/nuts/bolts), and a variant of Mirai (/nuts/x86).
The 'bolts' component removes competing botnet malware from the host, enforces persistence via /etc/crontab, and kills non-whitelisted processes every 45 seconds. CloudSEK provides recommendations for companies to protect against RondoDox activity, including auditing and patching Next.js Server Actions, isolating IoT devices into dedicated virtual LANs, and monitoring for suspicious processes being executed.
To understand the severity of this threat, it's essential to consider the impact of React2Shell on vulnerable servers. As of December 30, the Shadowserver Foundation reports detecting over 94,000 internet-exposed assets vulnerable to React2Shell. The recent exploits by RondoDox highlight the critical need for organizations to prioritize the security and patching of their Next.js servers.
In conclusion, the RondoDox botnet's exploitation of the critical React2Shell flaw is a significant concern for cybersecurity experts and organizations worldwide. The threat actors' tactics and techniques are noteworthy, emphasizing the importance of staying informed about emerging vulnerabilities and conducting regular security audits to protect against such attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/RondoDox-Botnet-Exploits-Critical-React2Shell-Flaw-to-Breach-Nextjs-Servers-ehn.shtml
https://www.bleepingcomputer.com/news/security/rondodox-botnet-exploits-react2shell-flaw-to-breach-nextjs-servers/
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.cvedetails.com/cve/CVE-2025-55182/
https://nvd.nist.gov/vuln/detail/CVE-2025-24893
https://www.cvedetails.com/cve/CVE-2025-24893/
Published: Wed Dec 31 09:12:34 2025 by llama3.2 3B Q4_K_M
