top of page
perceptive_background_267k.jpg

RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servers

Published:

1 January 2026 at 09:19:00

Alert date:

1 January 2026 at 10:02:11

Source:

thehackernews.com

Click to open the original link from this advisory

Mobile & IoT, Web Technologies, Ransomware & Malware, Zero-Day Vulnerabilities

Cybersecurity researchers have disclosed a persistent nine-month campaign targeting IoT devices and web applications to enroll them into the RondoDox botnet. As of December 2025, the campaign has been observed leveraging the recently disclosed React2Shell vulnerability (CVE-2025-55182) with a critical CVSS score of 10.0 as an initial access vector. The campaign specifically targets Internet of Things devices and web applications for botnet enrollment. CloudSEK researchers have been tracking this ongoing threat activity.

Technical details

RondoDox is a botnet operating since early 2025 that exploits the React2Shell vulnerability (CVE-2025-55182) with a CVSS score of 10.0. The vulnerability affects React Server Components (RSC) and Next.js, allowing unauthenticated remote code execution. The campaign evolved through three phases: initial reconnaissance (March-April 2025), daily mass vulnerability probing (April-June 2025), and hourly automated deployment (July-December 2025). Attackers scan for vulnerable Next.js servers and deploy cryptocurrency miners (/nuts/poop), botnet loader and health checker (/nuts/bolts), and Mirai botnet variant (/nuts/x86). The /nuts/bolts component terminates competing malware, removes known botnets and Docker payloads, sets up persistence via /etc/crontab, and kills non-whitelisted processes every 45 seconds to prevent reinfection.

Mitigation steps:

Update Next.js to a patched version as soon as possible
Segment all IoT devices into dedicated VLANs
Deploy Web Application Firewalls (WAFs)
Monitor for suspicious process execution
Block known C2 infrastructure

Affected products:

React Server Components (RSC)
Next.js
WordPress
Drupal
Struts2
Wavlink routers
IoT devices

Related links:

https://thehackernews.com/2025/12/react2shell-vulnerability-actively.html
https://www.cloudsek.com/blog/rondodox-botnet-weaponizes-react2shell
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=30&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-55182%2B&dataset=unique_ips&limit=100&group_by=geo&stacking=stacked&auto_update=on
https://dashboard.shadowserver.org/statistics/combined/tree/?date_range=1&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-55182%2B&data_set=count&scale=log&auto_update=on
https://thehackernews.com/2025/10/researchers-warn-rondodox-botnet-is.html
https://thehackernews.com/2025/11/rondodox-exploits-unpatched-xwiki.html
https://www.darktrace.com/blog/react2shell-how-opportunist-attackers-exploited-cve-2025-55182-within-hours
https://thehackernews.com/2025/12/react2shell-exploitation-escalates-into.html
https://thehackernews.com/2025/12/critical-react2shell-flaw-added-to-cisa.html

Related CVE's:

Related threat actors:

IOC's:

/nuts/poop, /nuts/bolts, /nuts/x86, /etc/crontab

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page