RondoDox Botnet Exploits 56 Vulnerabilities Across Multiple Vendors

RondoDox botnet exploit shotgun loader-as-a-service IoT security vulnerability exploitation Mirai Morte
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
October 13, 2025 3 min read

TL;DR

  • The RondoDox botnet is rapidly expanding its reach by exploiting over 50 vulnerabilities across more than 30 vendors using an 'exploit shotgun' strategy. It's also being distributed via a loader-as-a-service model, bundled with Mirai and Morte payloads. This advanced threat targets various internet-exposed devices, including routers and DVRs, highlighting the need for robust security measures.

Description: The RondoDox botnet has expanded its attack vectors to include over 50 vulnerabilities across more than 30 vendors, employing an "exploit shotgun" approach. The botnet targets a wide array of internet-exposed devices, including routers, DVRs, NVRs, CCTV systems, and web servers. RondoDox is also being distributed through a loader-as-a-service model, bundled with Mirai and Morte payloads.

RondoDox Botnet Overview

The RondoDox botnet is actively exploiting 56 vulnerabilities across more than 30 vendors, targeting a wide range of internet-exposed infrastructure. This includes routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and other network devices. According to Trend Micro, this activity is described as an "exploit shotgun" approach. The botnet was first documented by Fortinet FortiGuard Labs in July 2025.

Initial Intrusion and Expansion

Trend Micro detected an intrusion attempt on June 15, 2025, where attackers exploited CVE-2023-1389, a security flaw in TP-Link Archer routers that has been actively exploited since late 2022. More recently, RondoDox has broadened its distribution using a "loader-as-a-service" infrastructure, co-packaging itself with Mirai and Morte payloads.

Exploit Arsenal

RondoDox's arsenal includes nearly five dozen security flaws, with 18 having no CVE identifier. The 56 vulnerabilities span vendors such as D-Link, TVT, LILIN, Fiberhome, Linksys, BYTEVALUE, ASMAX, Brickcom, IQrouter, Ricon, Nexxt, NETGEAR, Apache, TBK, TOTOLINK, Meteobridge, Digiever, Edimax, QNAP, GNU, Dasan, Tenda, LB-LINK, AVTECH, Zyxel, Hytec Inter, Belkin, Billion, and Cisco.

Loader-as-a-Service

Late last month, CloudSEK revealed details of a large-scale loader-as-a-Service botnet distributing RondoDox, Mirai, and Morte payloads through SOHO routers, Internet of Things (IoT) devices, and enterprise apps. This is achieved by weaponizing weak credentials, unsanitized inputs, and old CVEs.

AISURU Botnet Connection

Security journalist Brian Krebs noted that the AISURU botnet is drawing a majority of its firepower from compromised IoT devices hosted on U.S. internet providers like AT&T, Comcast, and Verizon. One of the botnet's operators, Forky, is allegedly based in Sao Paulo, Brazil, and is linked to a DDoS mitigation service called Botshield.

RDP Attack Wave

A coordinated botnet operation involving over 100,000 unique IP addresses from at least 100 countries is targeting Remote Desktop Protocol (RDP) services in the U.S., according to GreyNoise.

Vulnerability Exploitation Details

The RondoDox botnet exploits various vulnerabilities, including command injection, path traversal, buffer overflow, authentication bypass, and memory corruption. Researchers have observed the botnet campaign targeting flaws first identified in Pwn2Own contests. The initial RondoDox intrusion observed by Trend Micro on June 15, 2025, involved exploiting CVE-2023-1389 in the WAN interface of the TP-Link Archer AX21 Wi-Fi router.

Key Events Timeline

Key events in the RondoDox vulnerability timeline include:

  • December 6, 2022: Exploitation of TP-Link AX1800 WAN interface at Pwn2Own Toronto 2022.
  • January 10, 2023: Trend Micro publishes rule 42150 for the command injection vulnerability.
  • January 15, 2023: CVE-2023-1389 is reported to TP-Link, with coordinated public disclosure.
  • June 15, 2025: First RondoDox event detected exploiting CVE-2023-1389.
  • September 22, 2025: Trend Threat Research triages a RondoDox exploitation spike.
  • September 25, 2025: CloudSEK reports rapid growth via a loader-as-a-service model.

Vendor Vulnerability List

The botnet targets a variety of vendors and products, exploiting command injection vulnerabilities (CWE-78) in most cases. Some examples include:

  • D-Link: DNS-343 ShareCenter / goAhead Web Server
  • TVT: NVMS-9000 Digital Video Recorder (DVR)
  • LILIN: DVR (Variant A & B)
  • Fiberhome: Router SR1041F RP0105
  • Linksys: Router apply.cgi (Variant A & B)

The complete list includes 56 vulnerabilities, with 38 CVEs assigned and 18 without CVEs.

Proactive Security Measures

Defenders should adopt a proactive security posture that includes regular vulnerability assessments, network segmentation, restricted internet exposure, and continuous monitoring for signs of compromise.

Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article
SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article