Pierluigi Paganini
October 10, 2025
Trend Micro researchers reported that the RondoDox botnet exploits 56 known flaws in over 30 device types, including DVRs, NVRs, CCTV systems, and web servers, active globally since June.
Experts noted that the latest RondoDox campaign adopts an “exploit shotgun” approach, firing multiple exploits to see which succeed.
In July, FortiGuard Labs first spotted the RondoDox botnet that was exploiting CVE-2024-3721 and CVE-2024-12856. Active since 2024, it uses custom libraries and mimics gaming or VPN traffic to evade detection.
Trend Micro first seen RondoDox activity on June 15, 2025, exploiting CVE-2023-1389 in TP-Link Archer AX21 routersm, a flaw first shown at Pwn2Own 2023 and still popular with botnets.
RondoDox now exploits multiple CVEs, including CVE-2024-3721 and CVE-2024-12856, evolving into a multivector loader targeting diverse devices.
Below are some of the vulnerabilities exploited in the RondoDox campaigns:
| Vendor | Product | CVE ID | CWE | Type |
| D-Link | DNS-343 ShareCenter / goAhead Web Server | N/A | CWE-78 | No CVE |
| TVT | NVMS-9000 Digital Video Recorder (DVR) | N/A | CWE-78 | No CVE |
| LILIN | DVR (Variant A) | N/A | CWE-78 | No CVE |
| LILIN | DVR (Variant B) | N/A | CWE-78 | No CVE |
| Fiberhome | Router SR1041F RP0105 | N/A | CWE-78 | No CVE |
| Linksys | Router apply.cgi (Variant A) | N/A | CWE-78 | No CVE |
| Linksys | Router apply.cgi (Variant B) | N/A | CWE-78 | No CVE |
| BYTEVALUE | Intelligent Flow Router | N/A | CWE-78 | No CVE |
| D-Link | DIR-645 & DIR-815 | N/A | CWE-78 | No CVE |
| Unknown | wlan_operate endpoint | N/A | CWE-78 | No CVE |
| Unknown | resize_ext2 endpoint | N/A | CWE-78 | No CVE |
| ASMAX | 804 Router | N/A | CWE-78 | No CVE |
| D-Link | DIR-X4860 | N/A | CWE-78 | No CVE |
| Unknown | File Upload (upgrade form) | N/A | CWE-78 | No CVE |
| Brickcom | IP Camera | N/A | CWE-78 | No CVE |
| IQrouter | IQrouter 3.3.1 | N/A | CWE-78 | No CVE |
| Ricon | Industrial Cellular Router S9922XL | N/A | CWE-78 | No CVE |
| Unknown | Shell endpoint | N/A | CWE-78 | No CVE |
| Nexxt | Router Firmware | CVE-2022-44149 | CWE-78 | N-Day |
| D-Link | DIR-645 Wired/Wireless Router | CVE-2015-2051 | CWE-78 | N-Day |
| Netgear | R7000 / R6400 Router | CVE-2016-6277 | CWE-78 | N-Day |
| Netgear | Multiple Routers (mini_httpd) | CVE-2020-27867 | CWE-78 | N-Day |
| Apache | HTTP Server | CVE-2021-41773 | CWE-22 | N-Day |
| Apache | HTTP Server | CVE-2021-42013 | CWE-22 | N-Day |
| TBK | Multiple DVRs | CVE-2024-3721 | CWE-78 | N-Day |
| TOTOLINK | Router (setMtknatCfg) | CVE-2025-1829 | CWE-78 | N-Day |
| Meteobridge | Web Interface | CVE-2025-4008 | CWE-78 | N-Day |
| D-Link | DNS-320 | CVE-2020-25506 | CWE-78 | N-Day |
| Digiever | DS-2105 Pro | CVE-2023-52163 | CWE-78 | N-Day |
| Netgear | DGN1000 | CVE-2024-12847 | CWE-78 | N-Day |
| D-Link | Multiple Products | CVE-2024-10914 | CWE-78 | N-Day |
| Edimax | RE11S Router | CVE-2025-22905 | CWE-78 | N-Day |
| QNAP | VioStor NVR | CVE-2023-47565 | CWE-78 | N-Day |
| D-Link | DIR-816 | CVE-2022-37129 | CWE-78 | N-Day |
| GNU | Bash (ShellShock) | CVE-2014-6271 | CWE-78 | N-Day |
| Dasan | GPON Home Router | CVE-2018-10561 | CWE-287 | N-Day |
| Four-Faith | Industrial Routers | CVE-2024-12856 | CWE-78 | N-Day |
| TP-Link | Archer AX21 | CVE-2023-1389 | CWE-78 | N-Day |
| D-Link | Multiple Products | CVE-2019-16920 | CWE-78 | N-Day |
| Tenda | Router (fromNetToolGet) | CVE-2025-7414 | CWE-78 | N-Day |
| Tenda | Router (deviceName) | CVE-2020-10987 | CWE-78 | N-Day |
| LB-LINK | Multiple Routers | CVE-2023-26801 | CWE-78 | N-Day |
| Linksys | E-Series Multiple Routers | CVE-2025-34037 | CWE-78 | N-Day |
| AVTECH | CCTV | CVE-2024-7029 | CWE-78 | N-Day |
| TOTOLINK | X2000R | CVE-2025-5504 | CWE-78 | N-Day |
| ZyXEL | P660HN-T1A | CVE-2017-18368 | CWE-78 | N-Day |
| Hytec Inter | HWL-2511-SS | CVE-2022-36553 | CWE-78 | N-Day |
| Belkin | Play N750 | CVE-2014-1635 | CWE-120 | N-Day |
| TRENDnet | TEW-411BRPplus | CVE-2023-51833 | CWE-78 | N-Day |
| TP-Link | TL-WR840N | CVE-2018-11714 | CWE-78 | N-Day |
| D-Link | DIR820LA1_FW105B03 | CVE-2023-25280 | CWE-78 | N-Day |
| Billion | 5200W-T Router | CVE-2017-18369 | CWE-78 | N-Day |
| Cisco | Multiple Products | CVE-2019-1663 | CWE-119 | N-Day |
| TOTOLINK | Router (setWizardCfg) | CVE-2024-1781 | CWE-78 | N-Day |
“The latest RondoDox botnet campaign represents a significant evolution in automated network exploitation, demonstrating how threat actors continue to weaponize both publicly disclosed vulnerabilities and zero-day exploits discovered at security competitions like Pwn2Own.” states Trend Micro. “The campaign’s shotgun approach of targeting more than 50 vulnerabilities across over 30 vendors underscores the persistent risks facing organizations that maintain internet-exposed network infrastructure without adequate security controls.”
Even when vulnerabilities are reported and patched, attackers exploit them faster than before. Organizations that delay updates or don’t track their devices give threats like RondoDox a chance to stay in their systems.
“Moving forward, defenders must adopt a proactive security posture that includes regular vulnerability assessments, network segmentation to limit lateral movement, restrict internet exposure, and continuous monitoring for signs of compromise.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, botnet)
