• FACEBOOK
  • INSTAGRAM
  • TWITTER
  • LINKDIN

RondoDox Botnet Targets Devices Vulnerable to React2Shell Flaw

Key Takeaways

  • A botnet campaign using React2Shell exploits targets IoT devices and web applications.
  • The RondoDox botnet adapts quickly, having compromised over 77,000 vulnerable IPs since its inception.
  • Security experts recommend reviewing Next.js applications and isolating IoT devices to prevent attacks.

Botnet Campaign Targets IoT Devices with Exploits

A recent botnet campaign has been identified, utilizing React2Shell exploits to compromise Internet of Things (IoT) devices and various web applications on a large scale. The security firm CloudSEK uncovered this activity, attributing it to the RondoDox botnet, which launched its campaign in March 2025.

RondoDox primarily exploits a severe vulnerability in the Meta-developed React framework, indexed as CVE-2025-55182, with a CVSS score of 10, indicating critical severity. The flaw has become a focal point for hackers, particularly those from state-affiliated groups in China and North Korea, who are known to target cloud environments where this framework operates.

According to CloudSEK, the botnet employs strategies to mimic traffic from gaming and VPN servers to remain undetected while it first compromises web applications like WordPress, Drupal, Struts 2, and WebLogic. Once initial access is gained, attackers steal credentials to access specific IoT devices, including popular brands like DLink, TP-Link, Netgear, Linksys, Asus, and IP cameras.

The campaign’s adaptability is notable, spanning from March to December 2025 and demonstrating a quick response to emerging trends in cyber-attacks. Researchers pointed out that the threat actor doesn’t limit itself to deploying botnet payloads, but also utilizes web shells and cryptocurrency miners.

The targeted framework, Next.js Server Actions, controls HTTP requests and responses. The vulnerability allows for complete server compromise through deserialization flaws in Server Actions, posing a significant risk. To enhance security, CloudSEK urges organizations to audit Next.js applications, disable remote management interfaces, and isolate all IoT devices to mitigate potential threats.

In light of this campaign, proactive measures are essential for organizations utilizing the React framework and for those managing IoT devices, as the continuous evolution of cyber threats underscores the importance of robust security practices.

The content above is a summary. For more details, see the source article.

Leave a Comment

Your email address will not be published. Required fields are marked *

ADVERTISEMENT

Indo-Pacific Business Promotion Council (IPacBiz)
Indo-Pacific Business Promotion Council (IPacBiz)
Indo-Pacific Business Promotion Council (IPacBiz)
Indo-Pacific Business Promotion Council (IPacBiz)
Indo-Pacific Business Promotion Council (IPacBiz)

Become a member

RELATED NEWS

Aaronia-11-19-24.jpg

The G20 Summit in Brazil: High-Tech “Made in Germany” Protects G20 Participants from Illegal Drones

Smart Cities

Salt_Lake_City12_smart_cities_Adobe1_rt.jpg

Salt Lake City Unveils Comprehensive Digital Service Tool for Residents

Smart Cities

Little_Rock_Arkansas_smart_cities_Adobe1.jpg

US Cities Awarded Innovation Grants to Boost Economic Mobility

Smart Cities

1200x800_ChargeGuru_Charger_smart_cities_PR1_rt.jpg

EV Infrastructure Influencing Purchase and Rental Choices in the UK

Smart Cities

Become a member

Scroll to Top