What happened
Researchers at Bitsight identified a large-scale campaign involving the RondoDox botnet, which is exploiting a wide range of known vulnerabilities across internet-facing systems to expand its network of compromised devices. The botnet uses an “exploit shotgun” approach, launching attacks against dozens of vulnerabilities simultaneously to maximize infection rates across routers, IoT devices, web servers, and enterprise systems. Reports indicate that RondoDox has evolved rapidly, incorporating newly disclosed flaws such as React2Shell (CVE-2025-55182) and other remote code execution vulnerabilities to gain initial access and deploy payloads including cryptominers and botnet clients. The malware operates as an automated exploitation framework, targeting exposed management interfaces and unpatched systems to establish persistent control and enable further malicious activity such as DDoS attacks and lateral movement.
Who is affected
Organizations and individuals running vulnerable or unpatched internet-facing devices—including routers, IoT systems, and web applications—are affected, particularly environments exposed to the internet or lacking regular patching practices.
Why CISOs should care
The campaign highlights how botnets are increasingly leveraging large volumes of known vulnerabilities to scale infections quickly, turning unpatched infrastructure into distributed attack platforms and increasing risk across enterprise and cloud environments.
3 practical actions
- Patch known vulnerabilities promptly. The botnet relies on exploiting publicly disclosed flaws across multiple systems.
- Reduce exposure of internet-facing devices. Limit access to management interfaces and vulnerable services.
- Monitor for automated exploitation patterns. Detect scanning and rapid multi-exploit activity across infrastructure.
For more coverage of newly disclosed security flaws and active exploitation, explore our reporting under the Vulnerabilities tag.