RondoDox Botnet Exploits Critical React2Shell Flaw

RondoDox Botnet Exploits Critical React2Shell Flaw

The RondoDox botnet has been actively exploiting the critical React2Shell vulnerability (CVE-2025-55182, CVSS score 10.0) since December 2025, targeting IoT devices and web servers. This campaign, observed over nine months, demonstrates a sophisticated progression from reconnaissance to large-scale automated deployment of miners and malware.

Why This Matters

Current security practices often lag behind rapid software development cycles, leaving systems vulnerable to zero-day and quickly-exploited flaws like React2Shell. The scale of the exposure – over 90,000 systems – highlights the potential for widespread disruption and financial losses stemming from botnet activity, estimated in the billions annually due to compromised resources and data breaches.

Key Insights

• 90,300: Number of systems globally susceptible to the React2Shell vulnerability as of December 31, 2025, according to Shadowserver Foundation.
• React Server Components (RSC): A Next.js feature enabling server-side rendering, but susceptible to remote code execution if not properly secured.
• “/nuts/bolts”: A RondoDox component designed to terminate competing malware, ensuring botnet persistence and resource control.

Practical Applications

• Use Case: A compromised Wavlink router, infected via React2Shell, is used to participate in DDoS attacks against financial institutions.
• Pitfall: Neglecting timely patching of Next.js applications, leading to exploitation by RondoDox and similar botnets, resulting in data exfiltration or service disruption.

References:

• https://thehackernews.com/2026/01/rondodox-botnet-exploits-critical.html