top of page
perceptive_background_267k.jpg

RondoDox botnet exploits React2Shell flaw to breach Next.js servers

Published:

31 december 2025 om 14:58:51

Alert date:

31 december 2025 om 15:03:01

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Web Technologies, Ransomware & Malware, Mobile & IoT

The RondoDox botnet is actively exploiting the critical React2Shell vulnerability (CVE-2025-55182) to compromise Next.js servers. Attackers are using this flaw to install malware and cryptominers on vulnerable systems. This represents an active exploitation campaign targeting web applications built with the popular Next.js framework. The vulnerability allows remote code execution on affected servers, making it a high-priority security concern for organizations running Next.js applications.

Technical details

RondoDox botnet exploits React2Shell (CVE-2025-55182), a critical unauthenticated remote code execution vulnerability that affects React Server Components (RSC) 'Flight' protocol implementations including Next.js. The vulnerability can be exploited via a single HTTP request. RondoDox started scanning for vulnerable Next.js servers on December 8 and began deploying botnet clients three days later. The botnet conducts hourly IoT exploitation waves targeting consumer and enterprise routers. After exploitation, it deploys multiple payloads including a coinminer (/nuts/poop), botnet loader and health checker (/nuts/bolts), and a Mirai variant (/nuts/x86). The 'bolts' component removes competing botnet malware, enforces persistence via /etc/crontab, and kills non-whitelisted processes every 45 seconds.

Mitigation steps:

Audit and patch Next.js Server Actions
Isolate IoT devices into dedicated virtual LANs
Monitor for suspicious processes being executed

Affected products:

Next.js servers
React Server Components (RSC) 'Flight' protocol implementations
XWiki Platform
Linksys routers
Wavlink routers

Related links:

https://www.bleepingcomputer.com/news/security/rondodox-botnet-targets-56-n-day-flaws-in-worldwide-attacks/
https://www.bleepingcomputer.com/news/security/rondodox-botnet-malware-now-hacks-servers-using-xwiki-flaw/
https://www.bleepingcomputer.com/news/security/critical-react2shell-flaw-in-react-nextjs-lets-hackers-run-javascript-code/
https://www.bleepingcomputer.com/news/security/react2shell-flaw-exploited-to-breach-30-orgs-77k-ip-addresses-vulnerable/
https://www.bleepingcomputer.com/news/security/north-korean-hackers-exploit-react2shell-flaw-in-etherrat-malware-attacks/
https://dashboard.shadowserver.org/statistics/combined/time-series/?date_range=7&source=http_vulnerable&source=http_vulnerable6&tag=cve-2025-55182%2B&dataset=unique_ips&limit=100&group_by=tag&stacking=stacked&auto_update=on
https://www.cloudsek.com/blog/rondodox-botnet-weaponizes-react2shell

Related CVE's:

Related threat actors:

IOC's:

/nuts/poop, /nuts/bolts, /nuts/x86

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page