RondoDox Botnet Exploits 56 Vulnerabilities Across Multiple Vendors

RondoDox botnet exploit shotgun loader-as-a-service IoT security vulnerability exploitation Mirai Morte
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
October 13, 2025 3 min read

TL;DR

The RondoDox botnet is rapidly expanding its reach by exploiting over 50 vulnerabilities across more than 30 vendors using an 'exploit shotgun' strategy. It's also being distributed via a loader-as-a-service model, bundled with Mirai and Morte payloads. This advanced threat targets various internet-exposed devices, including routers and DVRs, highlighting the need for robust security measures.

Description:
The RondoDox botnet has expanded its attack vectors to include over 50 vulnerabilities across more than 30 vendors, employing an "exploit shotgun" approach. The botnet targets a wide array of internet-exposed devices, including routers, DVRs, NVRs, CCTV systems, and web servers. RondoDox is also being distributed through a loader-as-a-service model, bundled with Mirai and Morte payloads.

RondoDox Botnet Overview

The RondoDox botnet is actively exploiting 56 vulnerabilities across more than 30 vendors, targeting a wide range of internet-exposed infrastructure. This includes routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and other network devices. According to Trend Micro, this activity is described as an "exploit shotgun" approach. The botnet was first documented by Fortinet FortiGuard Labs in July 2025.

Initial Intrusion and Expansion

Trend Micro detected an intrusion attempt on June 15, 2025, where attackers exploited CVE-2023-1389, a security flaw in TP-Link Archer routers that has been actively exploited since late 2022. More recently, RondoDox has broadened its distribution using a "loader-as-a-service" infrastructure, co-packaging itself with Mirai and Morte payloads.

Exploit Arsenal

RondoDox's arsenal includes nearly five dozen security flaws, with 18 having no CVE identifier. The 56 vulnerabilities span vendors such as D-Link, TVT, LILIN, Fiberhome, Linksys, BYTEVALUE, ASMAX, Brickcom, IQrouter, Ricon, Nexxt, NETGEAR, Apache, TBK, TOTOLINK, Meteobridge, Digiever, Edimax, QNAP, GNU, Dasan, Tenda, LB-LINK, AVTECH, Zyxel, Hytec Inter, Belkin, Billion, and Cisco.

Loader-as-a-Service

Late last month, CloudSEK revealed details of a large-scale loader-as-a-Service botnet distributing RondoDox, Mirai, and Morte payloads through SOHO routers, Internet of Things (IoT) devices, and enterprise apps. This is achieved by weaponizing weak credentials, unsanitized inputs, and old CVEs.

AISURU Botnet Connection

Security journalist Brian Krebs noted that the AISURU botnet is drawing a majority of its firepower from compromised IoT devices hosted on U.S. internet providers like AT&T, Comcast, and Verizon. One of the botnet's operators, Forky, is allegedly based in Sao Paulo, Brazil, and is linked to a DDoS mitigation service called Botshield.

RDP Attack Wave

A coordinated botnet operation involving over 100,000 unique IP addresses from at least 100 countries is targeting Remote Desktop Protocol (RDP) services in the U.S., according to GreyNoise.

Vulnerability Exploitation Details

The RondoDox botnet exploits various vulnerabilities, including command injection, path traversal, buffer overflow, authentication bypass, and memory corruption. Researchers have observed the botnet campaign targeting flaws first identified in Pwn2Own contests. The initial RondoDox intrusion observed by Trend Micro on June 15, 2025, involved exploiting CVE-2023-1389 in the WAN interface of the TP-Link Archer AX21 Wi-Fi router.

Key Events Timeline

Key events in the RondoDox vulnerability timeline include:

  • December 6, 2022: Exploitation of TP-Link AX1800 WAN interface at Pwn2Own Toronto 2022.
  • January 10, 2023: Trend Micro publishes rule 42150 for the command injection vulnerability.
  • January 15, 2023: CVE-2023-1389 is reported to TP-Link, with coordinated public disclosure.
  • June 15, 2025: First RondoDox event detected exploiting CVE-2023-1389.
  • September 22, 2025: Trend Threat Research triages a RondoDox exploitation spike.
  • September 25, 2025: CloudSEK reports rapid growth via a loader-as-a-service model.

Vendor Vulnerability List

The botnet targets a variety of vendors and products, exploiting command injection vulnerabilities (CWE-78) in most cases. Some examples include:

  • D-Link: DNS-343 ShareCenter / goAhead Web Server
  • TVT: NVMS-9000 Digital Video Recorder (DVR)
  • LILIN: DVR (Variant A & B)
  • Fiberhome: Router SR1041F RP0105
  • Linksys: Router apply.cgi (Variant A & B)

The complete list includes 56 vulnerabilities, with 38 CVEs assigned and 18 without CVEs.

Proactive Security Measures

Defenders should adopt a proactive security posture that includes regular vulnerability assessments, network segmentation, restricted internet exposure, and continuous monitoring for signs of compromise.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

Understanding Akira Ransomware: Attack Trends and Defense Strategies
Akira ransomware

Understanding Akira Ransomware: Attack Trends and Defense Strategies

Unmask the Akira ransomware. Learn its attack vectors, execution methods, and defense strategies to protect your organization. Read more now!

By Alan V Gutnov November 19, 2025 4 min read
Read full article
Critical Fortinet FortiWeb Vulnerability Exploited in the Wild
Fortinet FortiWeb vulnerability

Critical Fortinet FortiWeb Vulnerability Exploited in the Wild

Critical Fortinet FortiWeb vulnerability (CVE-2025-64446) is actively exploited. Learn about the exploit, affected versions, and how to patch now!

By Divyansh Ingle November 18, 2025 3 min read
Read full article
Managing Non-Human Identities: A New Frontier in Cybersecurity
non-human identities

Managing Non-Human Identities: A New Frontier in Cybersecurity

Discover the growing risks of non-human identities (NHIs) like bots and AI agents in cybersecurity. Learn how to gain visibility, enforce 'just enough' access, and protect your enterprise. Read more!

By Alan V Gutnov November 17, 2025 3 min read
Read full article
APT Group Exploits Cisco and Citrix Zero-Days for Webshells
Cisco ISE zero-day

APT Group Exploits Cisco and Citrix Zero-Days for Webshells

Discover how sophisticated attackers exploit Cisco ISE & Citrix zero-days to deploy webshells. Learn critical security implications & defense strategies. Protect your network now!

By Jim Gagnard November 14, 2025 4 min read
Read full article