RondoDox Botnet Exploiting Units With React2Shell Flaw

A botnet marketing campaign has been deploying React2Shell exploits to compromise IoT gadgets and web-facing functions at scale, safety researchers discovered.

See Additionally: On Demand | Ransomware in 2025: Evolving Threats, Exploited Vulnerabilities, and a Unified Protection Technique

Safety agency CloudSEK uncovered the marketing campaign and attributed it to the RondoDox botnet. The marketing campaign, launched in March, started exploiting the distant code React2Shell exploit in Meta-developed, open-source React framework in December.

RondoDox is a comparatively new botnet recognized for mimicking site visitors from gaming platforms or digital personal community servers to evade detection.

Within the newest marketing campaign, the attackers first compromised net functions akin to WordPress, Drupal, Struts 2 and WebLogic to achieve preliminary entry. The hackers then proceed to steal credentials to compromise the IoT gadgets. Amongst focused gadgets are DLink, TP-Hyperlink, Netgear, Linksys, Asus and IP cameras.

“The exercise spans from March 2025 to December 2025, displaying fast adaptation to the most recent traits in assaults by the menace actor group, not limiting themselves to deploying botnet payloads, net shells and crypto miners,” CloudSEK researchers mentioned.

The React2Shell flaw, tracked as CVE-2025-55182, has a CVSS rating of 10, the best severity. Given the relative ease with which it may be exploited, hackers, together with Chinese language and North Korean state hackers, have been recognized to instantly goal cloud environments and workloads that run the framework. Greater than 77,000 IP addresses have been discovered to be susceptible to the flaw as of early December.

Within the newest marketing campaign, attackers focused organizations working Subsequent.js Server Actions, which is a React framework that controls HTTP requests and responses. “The vulnerability permits full server compromise by way of deserialization flaws in Server Actions,” CloudSEK mentioned.

Attackers then deploy a coinminer and Mirai IoT malware, and a Linux-focused botnet assist framework for persistence, CloudSEK mentioned.

To forestall potential assaults utilizing the flaw, CloudSEK recommends that the attackers evaluation all Subsequent.js functions utilizing Server Actions, disable distant administration interfaces and isolate all IoT gadgets.