RondoDox botnet exploits 56 known flaws in over 30 device types, including DVRs, CCTV systems, and servers, active globally since June. Trend Micro researchers reported that the RondoDox botnet exploits 56 known flaws in over 30 device types, including DVRs, NVRs, CCTV systems, and web servers, active globally since June. Experts noted that the latest […] RondoDox botnet exploits 56 known flaws in over 30 device types, including DVRs, CCTV systems, and servers, active globally since June. Trend Micro researchers reported that the RondoDox botnet exploits 56 known flaws in over 30 device types, including DVRs, NVRs, CCTV systems, and web servers, active globally since June. Experts noted that the latest RondoDox campaign adopts an “exploit shotgun” approach, firing multiple exploits to see which succeed. In July, FortiGuard Labs first spotted the RondoDox botnet that was exploiting CVE-2024-3721 and CVE-2024-12856. Active since 2024, it uses custom libraries and mimics gaming or VPN traffic to evade detection. Trend Micro first seen RondoDox activity on June 15, 2025, exploiting CVE-2023-1389 in TP-Link Archer AX21 routersm, a flaw first shown at Pwn2Own 2023 and still popular with botnets. RondoDox now exploits multiple CVEs, including CVE-2024-3721 and CVE-2024-12856, evolving into a multivector loader targeting diverse devices. Below are some of the vulnerabilities exploited in the RondoDox campaigns: VendorProductCVE IDCWETypeD-LinkDNS-343 ShareCenter / goAhead Web ServerN/ACWE-78No CVETVTNVMS-9000 Digital Video Recorder (DVR)N/ACWE-78No CVELILINDVR (Variant A)N/ACWE-78No CVELILINDVR (Variant B)N/ACWE-78No CVEFiberhomeRouter SR1041F RP0105N/ACWE-78No CVELinksysRouter apply.cgi (Variant A)N/ACWE-78No CVELinksysRouter apply.cgi (Variant B)N/ACWE-78No CVEBYTEVALUEIntelligent Flow RouterN/ACWE-78No CVED-LinkDIR-645 & DIR-815N/ACWE-78No CVEUnknownwlan_operate endpointN/ACWE-78No CVEUnknownresize_ext2 endpointN/ACWE-78No CVEASMAX804 RouterN/ACWE-78No CVED-LinkDIR-X4860N/ACWE-78No CVEUnknownFile Upload (upgrade form)N/ACWE-78No CVEBrickcomIP CameraN/ACWE-78No CVEIQrouterIQrouter 3.3.1N/ACWE-78No CVERiconIndustrial Cellular Router S9922XLN/ACWE-78No CVEUnknownShell endpointN/ACWE-78No CVENexxtRouter FirmwareCVE-2022-44149CWE-78N-DayD-LinkDIR-645 Wired/Wireless RouterCVE-2015-2051CWE-78N-DayNetgearR7000 / R6400 RouterCVE-2016-6277CWE-78N-DayNetgearMultiple Routers (mini_httpd)CVE-2020-27867CWE-78N-DayApacheHTTP ServerCVE-2021-41773CWE-22N-DayApacheHTTP ServerCVE-2021-42013CWE-22N-DayTBKMultiple DVRsCVE-2024-3721CWE-78N-DayTOTOLINKRouter (setMtknatCfg)CVE-2025-1829CWE-78N-DayMeteobridgeWeb InterfaceCVE-2025-4008CWE-78N-DayD-LinkDNS-320CVE-2020-25506CWE-78N-DayDigieverDS-2105 ProCVE-2023-52163CWE-78N-DayNetgearDGN1000CVE-2024-12847CWE-78N-DayD-LinkMultiple ProductsCVE-2024-10914CWE-78N-DayEdimaxRE11S RouterCVE-2025-22905CWE-78N-DayQNAPVioStor NVRCVE-2023-47565CWE-78N-DayD-LinkDIR-816CVE-2022-37129CWE-78N-DayGNUBash (ShellShock)CVE-2014-6271CWE-78N-DayDasanGPON Home RouterCVE-2018-10561CWE-287N-DayFour-FaithIndustrial RoutersCVE-2024-12856CWE-78N-DayTP-LinkArcher AX21CVE-2023-1389CWE-78N-DayD-LinkMultiple ProductsCVE-2019-16920CWE-78N-DayTendaRouter (fromNetToolGet)CVE-2025-7414CWE-78N-DayTendaRouter (deviceName)CVE-2020-10987CWE-78N-DayLB-LINKMultiple RoutersCVE-2023-26801CWE-78N-DayLinksysE-Series Multiple RoutersCVE-2025-34037CWE-78N-DayAVTECHCCTVCVE-2024-7029CWE-78N-DayTOTOLINKX2000RCVE-2025-5504CWE-78N-DayZyXELP660HN-T1ACVE-2017-18368CWE-78N-DayHytec InterHWL-2511-SSCVE-2022-36553CWE-78N-DayBelkinPlay N750CVE-2014-1635CWE-120N-DayTRENDnetTEW-411BRPplusCVE-2023-51833CWE-78N-DayTP-LinkTL-WR840NCVE-2018-11714CWE-78N-DayD-LinkDIR820LA1_FW105B03CVE-2023-25280CWE-78N-DayBillion5200W-T RouterCVE-2017-18369CWE-78N-DayCiscoMultiple ProductsCVE-2019-1663CWE-119N-DayTOTOLINKRouter (setWizardCfg)CVE-2024-1781CWE-78N-Day “The latest RondoDox botnet campaign represents a significant evolution in automated network exploitation, demonstrating how threat actors continue to weaponize both publicly disclosed vulnerabilities and zero-day exploits discovered at security competitions like Pwn2Own.” states Trend Micro. “The campaign’s shotgun approach of targeting more than 50 vulnerabilities across over 30 vendors underscores the persistent risks facing organizations that maintain internet-exposed network infrastructure without adequate security controls.” Even when vulnerabilities are reported and patched, attackers exploit them faster than before. Organizations that delay updates or don’t track their devices give threats like RondoDox a chance to stay in their systems. “Moving forward, defenders must adopt a proactive security posture that includes regular vulnerability assessments, network segmentation to limit lateral movement, restrict internet exposure, and continuous monitoring for signs of compromise.” concludes the report. Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, botnet)
Published: 2025-10-10T07:33:56