The RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers.
First documented by Fortinet in July 2025, RondoDox is a large-scale botnet that targets multiple n-day flaws in global attacks. In November, VulnCheck spotted new RondoDox variants that featured exploits for CVE-2025-24893, a critical remote code execution (RCE) vulnerability in the XWiki Platform.
A new report from cybersecurity company CloudSEK notes that RondoDox started scanning for vulnerable Next.js servers on December 8 and began deploying botnet clients three days later.
React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement the React Server Components (RSC) 'Flight' protocol, including Next.js.
The flaw has been leveraged by several threat actors to breach multiple organizations. North Korean hackers exploited React2Shell to deploy a new malware family named EtherRAT.
As of December 30, the Shadowserver Foundation reports detecting over 94,000 internet-exposed assets vulnerable to React2Shell.
CloudSEK says that RondoDox has passed through three distinct operational phases this year:
Reconnaissance and vulnerability testing from March to April 2025
Automated web app exploitation from April to June 2025
Large-scale IoT botnet deployment from July to today
... continue reading