Endpoint Safety
,
Web of Issues Safety
Botnet Operators Execute First Identified Exploit of Practically Decade-Previous Flaw
Operators behind a botnet picked up on a virtually decade-old flaw in Asus routers permitting an unauthenticated attacker to realize distant code execution as a root consumer.
See Additionally: Airways and Airports: Visibility Throughout OT, IoT, and IT
Researchers at VulnCheck flagged in-the-wild exploitation of CVE-2018-5999, a crucial flaw carrying a 9.8 CVSS rating, to the RondoDox botnet. The botnet, which surfaced in mid-2025 and focuses on Linux techniques, is usually classed as a variant of the Mirai botnet. “Not like Mirai, this malware’s sole function is to execute DoS assaults, whereas Mirai will not be solely able to doing DoS assaults but additionally scan and exploit different techniques,” wrote Bitsight in March.
VulnCheck started observing exploitation of the Asus vulnerability on Might 17. “Public exploits have been obtainable since 2018,” wrote VulnCheck CTO Jacob Baines in a Friday LinkedIn publish. “However till now, we hadn’t seen the vulnerability exploited within the wild.”
RondoDox depends on a multi-stage assault chain constructed round mass exploitation, notably specializing in end-of-life and IoT gadgets. Its scans for uncovered gadgets, making an attempt to take advantage of considered one of presumably dozens of embedded CVEs directly, usually chaining flaws collectively earlier than introducing a malware payload, which connects to command-and-control infrastructure.
“RondoDox is well-known for implementing a ton of exploits. Some analyses have tracked its CVE associations properly into the 170s, so it’s not stunning or new that they’re utilizing older ones too,” mentioned Baines.
In accordance with Bitsight evaluation, risk actors behind RondoDox seemingly monitor vulnerability disclosures, exploiting sure CVEs linked to client tech earlier than publication. With “compromised residential IPs” serving as its internet hosting infrastructure, the botnet depends on older vulnerabilities present in “broadly deployed, largely end-of-life client routers” to take care of persistence.
“There are a ton of Asus routers on-line, greater than 1 million, so it’s very conceivable that that is working for RondoDox,” mentioned Baines.
