RondoDox Botnet targets 56 flaws across 30+ device types worldwide

Pierluigi Paganini October 10, 2025

RondoDox botnet exploits 56 known flaws in over 30 device types, including DVRs, CCTV systems, and servers, active globally since June.

Trend Micro researchers reported that the RondoDox botnet exploits 56 known flaws in over 30 device types, including DVRs, NVRs, CCTV systems, and web servers, active globally since June.

Experts noted that the latest RondoDox campaign adopts an “exploit shotgun” approach, firing multiple exploits to see which succeed.

In July, FortiGuard Labs first spotted the RondoDox botnet that was exploiting CVE-2024-3721 and CVE-2024-12856. Active since 2024, it uses custom libraries and mimics gaming or VPN traffic to evade detection.

Trend Micro first seen RondoDox activity on June 15, 2025, exploiting CVE-2023-1389 in TP-Link Archer AX21 routersm, a flaw first shown at Pwn2Own 2023 and still popular with botnets.

RondoDox now exploits multiple CVEs, including CVE-2024-3721 and CVE-2024-12856, evolving into a multivector loader targeting diverse devices.

Below are some of the vulnerabilities exploited in the RondoDox campaigns:

VendorProductCVE IDCWEType
D-LinkDNS-343 ShareCenter / goAhead Web ServerN/ACWE-78No CVE
TVTNVMS-9000 Digital Video Recorder (DVR)N/ACWE-78No CVE
LILINDVR (Variant A)N/ACWE-78No CVE
LILINDVR (Variant B)N/ACWE-78No CVE
FiberhomeRouter SR1041F RP0105N/ACWE-78No CVE
LinksysRouter apply.cgi (Variant A)N/ACWE-78No CVE
LinksysRouter apply.cgi (Variant B)N/ACWE-78No CVE
BYTEVALUEIntelligent Flow RouterN/ACWE-78No CVE
D-LinkDIR-645 & DIR-815N/ACWE-78No CVE
Unknownwlan_operate endpointN/ACWE-78No CVE
Unknownresize_ext2 endpointN/ACWE-78No CVE
ASMAX804 RouterN/ACWE-78No CVE
D-LinkDIR-X4860N/ACWE-78No CVE
UnknownFile Upload (upgrade form)N/ACWE-78No CVE
BrickcomIP CameraN/ACWE-78No CVE
IQrouterIQrouter 3.3.1N/ACWE-78No CVE
RiconIndustrial Cellular Router S9922XLN/ACWE-78No CVE
UnknownShell endpointN/ACWE-78No CVE
NexxtRouter FirmwareCVE-2022-44149CWE-78N-Day
D-LinkDIR-645 Wired/Wireless RouterCVE-2015-2051CWE-78N-Day
NetgearR7000 / R6400 RouterCVE-2016-6277CWE-78N-Day
NetgearMultiple Routers (mini_httpd)CVE-2020-27867CWE-78N-Day
ApacheHTTP ServerCVE-2021-41773CWE-22N-Day
ApacheHTTP ServerCVE-2021-42013CWE-22N-Day
TBKMultiple DVRsCVE-2024-3721CWE-78N-Day
TOTOLINKRouter (setMtknatCfg)CVE-2025-1829CWE-78N-Day
MeteobridgeWeb InterfaceCVE-2025-4008CWE-78N-Day
D-LinkDNS-320CVE-2020-25506CWE-78N-Day
DigieverDS-2105 ProCVE-2023-52163CWE-78N-Day
NetgearDGN1000CVE-2024-12847CWE-78N-Day
D-LinkMultiple ProductsCVE-2024-10914CWE-78N-Day
EdimaxRE11S RouterCVE-2025-22905CWE-78N-Day
QNAPVioStor NVRCVE-2023-47565CWE-78N-Day
D-LinkDIR-816CVE-2022-37129CWE-78N-Day
GNUBash (ShellShock)CVE-2014-6271CWE-78N-Day
DasanGPON Home RouterCVE-2018-10561CWE-287N-Day
Four-FaithIndustrial RoutersCVE-2024-12856CWE-78N-Day
TP-LinkArcher AX21CVE-2023-1389CWE-78N-Day
D-LinkMultiple ProductsCVE-2019-16920CWE-78N-Day
TendaRouter (fromNetToolGet)CVE-2025-7414CWE-78N-Day
TendaRouter (deviceName)CVE-2020-10987CWE-78N-Day
LB-LINKMultiple RoutersCVE-2023-26801CWE-78N-Day
LinksysE-Series Multiple RoutersCVE-2025-34037CWE-78N-Day
AVTECHCCTVCVE-2024-7029CWE-78N-Day
TOTOLINKX2000RCVE-2025-5504CWE-78N-Day
ZyXELP660HN-T1ACVE-2017-18368CWE-78N-Day
Hytec InterHWL-2511-SSCVE-2022-36553CWE-78N-Day
BelkinPlay N750CVE-2014-1635CWE-120N-Day
TRENDnetTEW-411BRPplusCVE-2023-51833CWE-78N-Day
TP-LinkTL-WR840NCVE-2018-11714CWE-78N-Day
D-LinkDIR820LA1_FW105B03CVE-2023-25280CWE-78N-Day
Billion5200W-T RouterCVE-2017-18369CWE-78N-Day
CiscoMultiple ProductsCVE-2019-1663CWE-119N-Day
TOTOLINKRouter (setWizardCfg)CVE-2024-1781CWE-78N-Day

“The latest RondoDox botnet campaign represents a significant evolution in automated network exploitation, demonstrating how threat actors continue to weaponize both publicly disclosed vulnerabilities and zero-day exploits discovered at security competitions like Pwn2Own.” states Trend Micro. “The campaign’s shotgun approach of targeting more than 50 vulnerabilities across over 30 vendors underscores the persistent risks facing organizations that maintain internet-exposed network infrastructure without adequate security controls.”

Even when vulnerabilities are reported and patched, attackers exploit them faster than before. Organizations that delay updates or don’t track their devices give threats like RondoDox a chance to stay in their systems.

“Moving forward, defenders must adopt a proactive security posture that includes regular vulnerability assessments, network segmentation to limit lateral movement, restrict internet exposure, and continuous monitoring for signs of compromise.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)



you might also like

leave a comment