Ethical Hacking News
The RondoDox botnet has been exploiting a critical React2Shell flaw to infect vulnerable Next.js servers with malware and cryptominers. With its multifaceted approach and 56 known exploited flaws, this threat demands immediate attention from cybersecurity professionals and developers working with Next.js applications. Stay informed about the latest developments in this ongoing campaign by following reputable security sources.
The RondoDox botnet is utilizing a critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. The threat actors have been scanning for vulnerable Next.js servers since December 8, 2025, and deploying botnet clients three days later. The React2Shell flaw is a pre-authentication remote code execution vulnerability in React Server Components versions 19.0.0-19.2.0. The severity of this vulnerability was assessed at a CVSS score of 10.0, underscoring its critical nature. The RondoDox botnet has been employing custom libraries and mimicking gaming or VPN traffic to evade detection. The campaign is part of an evolving pattern of attacks that have shifted from targeting IoT devices to web applications in recent months.
React2Shell under Attack: RondoDox Botnet Spreads Miners and Malware
The cybersecurity landscape has witnessed numerous botnet campaigns in recent times, each with its unique modus operandi and level of sophistication. One such threat that has garnered significant attention in the security community is the RondoDox botnet, which has been utilizing a critical React2Shell flaw to infect vulnerable Next.js servers with malware and cryptominers.
In early January 2026, researchers at CloudSEK disclosed a comprehensive report detailing the activities of the RondoDox botnet. The threat actors in question have been exploiting the critical React2Shell flaw (CVE-2025-55182) to drop malicious payloads on vulnerable Next.js servers. This exploit takes advantage of a pre-authentication remote code execution vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the packages react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack.
The React2Shell flaw is attributed to the code's unsafe payload decoding in Server Function endpoints, allowing unauthenticated code execution. Apps utilizing React Server Components may be exposed even without Server Function endpoints. The severity of this vulnerability was assessed at a CVSS score of 10.0, underscoring its critical nature.
CloudSEK researchers warn that the RondoDox botnet has been scanning for vulnerable Next.js servers since December 8 and began deploying botnet clients three days later. The campaign is part of an evolving pattern of attacks, which have shifted from targeting IoT devices to web applications in recent months.
The threat actors involved in this campaign seem to be utilizing a multifaceted approach, employing custom libraries and mimicking gaming or VPN traffic to evade detection. According to FortiGuard Labs, the RondoDox botnet was first spotted in July 2024, exploiting CVE-2024-3721 and CVE-2024-12856. The threat actors have since expanded their arsenal of exploits to target over 30 device types, including DVRs, NVRs, CCTV systems, and web servers.
In October 2025, Trend Micro researchers reported that the RondoDox botnet had been exploiting 56 known flaws on multiple device types. The campaign's effectiveness has led experts to label it an "exploit shotgun" approach, where they fire multiple exploits in a bid to see which succeeds.
The deployment of malware and cryptominers on compromised servers raises significant concerns regarding the potential for data exfiltration and cryptocurrency mining operations. This multifaceted threat necessitates immediate attention from cybersecurity professionals and developers working with Next.js applications.
To mitigate this risk, CloudSEK recommends several key actions: urgent audits of Next.js apps, especially Server Actions, with immediate patching or temporary disablement; isolating and hardening IoT devices; deploying WAF protections; blocking known C2 infrastructure; enhancing network and behavioral monitoring; enforcing zero-trust access for admin interfaces; maintaining continuous vulnerability and patch management with threat intelligence and regular testing.
The emergence of the RondoDox botnet highlights the importance of keeping software up-to-date, implementing robust security measures, and engaging in proactive vulnerability assessments. As the cybersecurity landscape continues to evolve, it is crucial for organizations to remain vigilant and adapt their defenses accordingly.
Related Information:
https://www.ethicalhackingnews.com/articles/RondoDox-Botnet-The-Looming-Threat-of-a-Multifaceted-Malware-Campaign-ehn.shtml
https://securityaffairs.com/186386/uncategorized/react2shell-under-attack-rondodox-botnet-spreads-miners-and-malware.html
https://nvd.nist.gov/vuln/detail/CVE-2025-55182
https://www.cvedetails.com/cve/CVE-2025-55182/
https://nvd.nist.gov/vuln/detail/CVE-2024-3721
https://www.cvedetails.com/cve/CVE-2024-3721/
https://nvd.nist.gov/vuln/detail/CVE-2024-12856
https://www.cvedetails.com/cve/CVE-2024-12856/
Published: Thu Jan 1 09:04:13 2026 by llama3.2 3B Q4_K_M
