Security researchers from Trend Micro have identified a rapidly escalating botnet operation dubbed RondoDox. This campaign has exploited over 50 vulnerabilities across more than 30 vendors, utilizing both newly discovered and previously demonstrated flaws from the Pwn2Own security contests. The emergence of RondoDox underscores the increasing threat of automated network exploitation targeting various internet-connected devices, including routers, digital video recorders (DVRs), and network video recorders (NVRs).
Emergence of RondoDox and Its Tactics
The initial signs of RondoDox activity appeared in June 2025 when Trend Micro telemetry detected an attack exploiting CVE-2023-1389, a vulnerability in the TP-Link Archer AX21 Wi-Fi router. This flaw, which involves an authentication bypass and command injection via the router’s WAN interface, had been responsibly disclosed and patched in 2023. Despite these precautions, RondoDox operators managed to exploit unpatched internet-facing routers, highlighting a concerning trend in cybersecurity: vulnerabilities exposed in security competitions quickly transition to active exploitation.
RondoDox has evolved into a stealthy botnet campaign that primarily targets command-injection vulnerabilities across a broad spectrum of devices. The malware’s main goal is to gain shell access, execute remote commands, and deploy multiarchitecture payloads. Early investigations by FortiGuard Labs linked RondoDox to attacks against TBK DVRs and Four-Faith routers, exploiting vulnerabilities such as CVE-2024-3721 and CVE-2024-12856. The campaign has since broadened its scope, employing a “loader-as-a-service” model that combines RondoDox with established malware families like Mirai and Morte, complicating detection and response efforts.
The Exploit Shotgun Approach
Unlike previous botnets that focused on specific vulnerabilities, RondoDox employs an “exploit shotgun” approach, launching multiple exploits simultaneously to compromise a wide array of targets. This strategy allows the botnet to maximize infection rates across diverse environments. The arsenal of RondoDox now includes dozens of Common Vulnerabilities and Exposures (CVEs) affecting routers, cameras, web servers, and Internet of Things (IoT) devices from over 30 manufacturers. Among the most targeted vulnerabilities are CVE-2023-1389, CVE-2024-3721, and CVE-2024-12856, emphasizing the urgent need for organizations to patch these flaws promptly.
The payload delivery process follows a multi-stage sequence: initial exploitation of a device’s management interface, execution of remote commands, downloading of malicious payloads, and registration within the botnet. Once compromised, infected devices can be used for various malicious purposes, including data exfiltration, denial-of-service (DoS) attacks, or as launchpads for further lateral movements within enterprise networks.
The RondoDox campaign highlights a significant vulnerability in global vulnerability management. Despite responsible disclosure and vendor patching, many organizations delay applying updates, leaving their systems exposed for extended periods. The swift reuse of vulnerabilities revealed during Pwn2Own demonstrates how quickly research findings can be weaponized when patch adoption lags. Additionally, with the integration of artificial intelligence into cyber operations, attackers can automate vulnerability scanning, exploit development, and payload distribution, significantly speeding up the timeline from vulnerability disclosure to real-world exploitation.
Strengthening Cybersecurity Measures
To counter RondoDox and similar threats, organizations must adopt a proactive and layered defense strategy. Key mitigations include:
– **Prioritize patching and visibility:** Maintain an updated asset inventory and promptly patch all high-risk vulnerabilities, including those listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
– **Strengthen network and access controls:** Implement system segmentation, enforce least privilege access, utilize multi-factor authentication (MFA), and limit internet exposure.
– **Enhance monitoring and response:** Continuously monitor for anomalies, leverage threat intelligence, and maintain tested backups for rapid recovery.
– **Promote security culture and hygiene:** Harden configurations, eliminate default credentials, and train users to recognize and thwart potential threats.
Together, these measures create a robust defense that reduces exposure, limits attacker movement, and fortifies organizational resilience against evolving cyber threats.
The RondoDox campaign, exploiting over 50 vulnerabilities across multiple vendors, exemplifies the speed and scale of modern exploit operations. As attackers increasingly automate vulnerability discovery and weaponization, the gap between vulnerability disclosure and exploitation is narrowing. Defending against threats like RondoDox necessitates constant vigilance, rapid patching, and a proactive commitment to securing all layers of the network.
