The RondoDox botnet has been found actively exploiting a critical software vulnerability called React2Shell. This flaw affects applications built using React Server Components and Next.js, which are widely used across the internet. By abusing this weakness, attackers are able to remotely access servers without authentication. Security experts warn that the activity is ongoing and widespread.
React2Shell, tracked as CVE-2025-55182, allows unauthenticated remote code execution on vulnerable systems. This means attackers can send a specially crafted request and execute commands on a server. Because of how common React and Next.js are, a large number of web servers are exposed. The vulnerability has been rated critical due to its high impact and ease of exploitation.
Soon after the flaw was disclosed, multiple threat actors began scanning the internet for vulnerable systems. Among them, the RondoDox botnet emerged as one of the most aggressive. Researchers observed large-scale scanning activity followed by rapid exploitation. Compromised servers were immediately used to download and run malicious payloads.
Once RondoDox gains access to a system, it installs malware that turns the device into part of its botnet. In many cases, the botnet deploys cryptocurrency miners that abuse system resources for illegal profit. It may also install backdoors to maintain long-term access. These infected systems can later be used for further attacks.
The botnet does not limit itself to web servers alone. After initial access, it attempts to spread to connected IoT devices such as routers, cameras, and other embedded systems. These devices often lack proper security controls, making them easy targets. This allows RondoDox to rapidly expand its botnet network.
Security analysts estimate that tens of thousands of systems remain vulnerable to the React2Shell flaw. Many affected servers and IoT devices have not yet been patched. This leaves them open to compromise at any time. Researchers continue to observe new infections as attackers scan for unprotected systems.
RondoDox is not the only threat exploiting this vulnerability. Multiple cybercriminal groups have been seen using React2Shell to deliver different types of malware. These include botnet loaders, cryptominers, and remote access tools. The public availability of exploit code has accelerated the scale of attacks.
Experts strongly advise organizations to immediately update React and Next.js to patched versions. Additional protections such as web application firewalls, network monitoring, and IoT segmentation are also recommended. Quick action is essential to reduce risk. The RondoDox campaign highlights how fast modern vulnerabilities can be weaponized.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
