RondoDox Botnet Exploits 174 Vulnerabilities, Generating 15,000 Daily Attack Attempts on IoT, Router, and Web Infrastructure
What Happened – The RondoDox botnet has expanded its exploit arsenal to 174 distinct flaws, launching up to 15 000 exploitation attempts per day. The campaign targets a wide range of devices—including TP‑Link routers, CCTV/DVR systems, and vulnerable Next.js web servers—by rotating and prioritising the most effective CVEs.
Why It Matters for TPRM –
- Third‑party hardware and SaaS components are being weaponised at scale, raising the probability of supply‑chain compromise.
- Continuous vulnerability rotation makes traditional signature‑based defenses less effective, demanding stronger vendor patch‑management assurances.
- Successful exploitation can lead to service disruption, data exfiltration, or cryptomining on customer‑facing assets.
Who Is Affected – IoT device manufacturers, networking equipment vendors, video‑surveillance providers, cloud‑hosted web application platforms, and any organisations that integrate these third‑party components.
Recommended Actions – Review all third‑party contracts for mandatory CVE remediation timelines, validate that vendors have applied patches for the 174 listed flaws, and implement network‑traffic monitoring for the botnet’s characteristic User‑Agent and traffic‑mimicry patterns.
Technical Notes – The botnet leverages public PoCs for 15 CVEs and custom exploits for the remainder, mimicking gaming/VPN traffic to evade detection. Notable CVEs include CVE‑2023‑1389 (TP‑Link Archer AX21), CVE‑2024‑3721, CVE‑2024‑12856, and the “React2Shell” flaw CVE‑2025‑55182 affecting Next.js servers. Attack vector is vulnerability exploitation; impact is primarily service disruption with potential for data loss. Source: Security Affairs