RondoDox botnet exploits React2Shell flaw to breach Next.js servers
by Bill Toulas · BleepingComputerThe RondoDox botnet has been observed exploiting the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers.
First documented by Fortinet in July 2025, RondoDox is a large-scale botnet that targets multiple n-day flaws in global attacks. In November, VulnCheck spotted new RondoDox variants that featured exploits for CVE-2025-24893, a critical remote code execution (RCE) vulnerability in the XWiki Platform.
A new report from cybersecurity company CloudSEK notes that RondoDox started scanning for vulnerable Next.js servers on December 8 and began deploying botnet clients three days later.
React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement the React Server Components (RSC) 'Flight' protocol, including Next.js.
The flaw has been leveraged by several threat actors to breach multiple organizations. North Korean hackers exploited React2Shell to deploy a new malware family named EtherRAT.
As of December 30, the Shadowserver Foundation reports detecting over 94,000 internet-exposed assets vulnerable to React2Shell.
CloudSEK says that RondoDox has passed through three distinct operational phases this year:
- Reconnaissance and vulnerability testing from March to April 2025
- Automated web app exploitation from April to June 2025
- Large-scale IoT botnet deployment from July to today
Regarding React2Shell, the researchers report that RondoDox has focused its exploitation around the flaw significantly lately, launching over 40 exploit attempts within six days in December.
During this operational phase, the botnet conducts hourly IoT exploitation waves targeting Linksys, Wavlink, and other consumer and enterprise routers to enroll new bots.
After probing potentially vulnerable servers, CloudSEK says that RoundDox started to deploy payloads that included a coinminer (/nuts/poop), a botnet loader and health checker (/nuts/bolts), and a variant of Mirai (/nuts/x86).
The ‘bolts’ component removes competing botnet malware from the host, enforces persistence via /etc/crontab, and kills non-whitelisted processes every 45 seconds, the researchers say.
CloudSEK provides a set of recommendations for companies to protect against this RondoDox activity, among them auditing and patching Next.js Server Actions, isolating IoT devices into dedicated virtual LANs, and monitoring for suspicious processes being executed.
Break down IAM silos like Bitpanda, KnowBe4, and PathAI
Broken IAM isn't just an IT problem - the impact ripples across your whole business.
This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.