Cybersecurity agency VulnCheck’s newest analysis reveals that cybercriminals at the moment are focusing on outdated fashions of ASUS routers by exploiting a software program vulnerability from 2018, tracked as CVE-2018-5999. This can be a important unauthenticated configuration replace vulnerability with a CVSS rating of 9.8/10 that lets hackers change the settings of the router while not having a password.
The assaults had been found by the agency’s specialised system referred to as VulnCheck Canary Community. Additional probing revealed {that a} botnet (community of contaminated units operating the malware payload) named RondoDox botnet is behind these assaults, and people working it began exploiting the vulnerability on Could 17. Following these findings, the vulnerability has been added to the corporate’s Identified Exploited Vulnerabilities catalogue.
As per the analysis findings, shared with Hackread.com, the assault sample depends on a selected mechanism the place the attackers ship knowledge payloads to set the ateCommand_flag setting to 1. This modification prompts the router’s inside system interface, referred to as infosvr, to open up and settle for unauthorised configuration modifications from the skin.
VulnCheck’s Preliminary Entry group examined this methodology and efficiently used the vulnerability to vary the admin password of a router. What’s extra troubling is that regardless that code to abuse this vulnerability has been public since 2018, hackers had not used it in the actual world till now.
Jacob Baines, the Chief Expertise Officer at VulnCheck, defined the state of affairs in a LinkedIn put up, noting that “RondoDox is well-known for implementing a ton of exploits. Some analyses have tracked its CVE associations effectively into the 170s, so it’s not shocking or new that they’re utilizing older ones too.”
The issue is big as a result of these units are all over the place. ASUS routers are made in Taiwan and China and are extremely popular in properties. Baines added: “There are a ton of ASUS routers on-line, greater than 1 million, so it’s very conceivable that that is working for RondoDox.”
RondoDox operators have been energetic since mid-2025, and largely assault techniques operating Linux software program, very similar to one other botnet operator referred to as Mirai. Nonetheless, RondoDox is targeted on a selected aim of beginning Denial of Service assaults. These assaults flood an internet site or system with an excessive amount of web visitors till it crashes.
In keeping with VulnCheck’s State of Exploitation 2026 report findings on edge gadget vulnerabilities, cybercriminals search for outdated tech that corporations don’t assist with software program updates anymore, technically referred to as end-of-life units.
VulnCheck discovered that 56 % of attacked web edge units in 2025 had been shopper routers. Additionally, 65 % of vulnerabilities utilized by botnets had been on unsupported tech. This makes it simple for scammers to take over residence web routers.
This warning follows latest protection by Hackread.com on one other RondoDox marketing campaign reported by CloudSEK, the place the botnet focused sensible cameras and web sites by exploiting a important Subsequent.js vulnerability referred to as React2Shell (CVE-2025-55182) to hijack servers with out a password.
