Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

RondoDox Botnet targets 56 flaws across 30+ device types worldwide

RondoDox botnet exploits 56 known flaws in over 30 device types, including DVRs, CCTV systems, and servers, active globally since June. Trend Micro researchers reported that the RondoDox botnet exploits 56 known flaws in over 30 device types, including DVRs, NVRs, CCTV systems, and web servers, active globally since June. Experts noted that the latest […]

RondoDox botnet

RondoDox botnet exploits 56 known flaws in over 30 device types, including DVRs, CCTV systems, and servers, active globally since June.

Trend Micro researchers reported that the RondoDox botnet exploits 56 known flaws in over 30 device types, including DVRs, NVRs, CCTV systems, and web servers, active globally since June.

Experts noted that the latest RondoDox campaign adopts an “exploit shotgun” approach, firing multiple exploits to see which succeed.

In July, FortiGuard Labs first spotted the RondoDox botnet that was exploiting CVE-2024-3721 and CVE-2024-12856. Active since 2024, it uses custom libraries and mimics gaming or VPN traffic to evade detection.

Trend Micro first seen RondoDox activity on June 15, 2025, exploiting CVE-2023-1389 in TP-Link Archer AX21 routersm, a flaw first shown at Pwn2Own 2023 and still popular with botnets.

RondoDox now exploits multiple CVEs, including CVE-2024-3721 and CVE-2024-12856, evolving into a multivector loader targeting diverse devices.

Below are some of the vulnerabilities exploited in the RondoDox campaigns:

VendorProductCVE IDCWEType
D-LinkDNS-343 ShareCenter / goAhead Web ServerN/ACWE-78No CVE
TVTNVMS-9000 Digital Video Recorder (DVR)N/ACWE-78No CVE
LILINDVR (Variant A)N/ACWE-78No CVE
LILINDVR (Variant B)N/ACWE-78No CVE
FiberhomeRouter SR1041F RP0105N/ACWE-78No CVE
LinksysRouter apply.cgi (Variant A)N/ACWE-78No CVE
LinksysRouter apply.cgi (Variant B)N/ACWE-78No CVE
BYTEVALUEIntelligent Flow RouterN/ACWE-78No CVE
D-LinkDIR-645 & DIR-815N/ACWE-78No CVE
Unknownwlan_operate endpointN/ACWE-78No CVE
Unknownresize_ext2 endpointN/ACWE-78No CVE
ASMAX804 RouterN/ACWE-78No CVE
D-LinkDIR-X4860N/ACWE-78No CVE
UnknownFile Upload (upgrade form)N/ACWE-78No CVE
BrickcomIP CameraN/ACWE-78No CVE
IQrouterIQrouter 3.3.1N/ACWE-78No CVE
RiconIndustrial Cellular Router S9922XLN/ACWE-78No CVE
UnknownShell endpointN/ACWE-78No CVE
NexxtRouter FirmwareCVE-2022-44149CWE-78N-Day
D-LinkDIR-645 Wired/Wireless RouterCVE-2015-2051CWE-78N-Day
NetgearR7000 / R6400 RouterCVE-2016-6277CWE-78N-Day
NetgearMultiple Routers (mini_httpd)CVE-2020-27867CWE-78N-Day
ApacheHTTP ServerCVE-2021-41773CWE-22N-Day
ApacheHTTP ServerCVE-2021-42013CWE-22N-Day
TBKMultiple DVRsCVE-2024-3721CWE-78N-Day
TOTOLINKRouter (setMtknatCfg)CVE-2025-1829CWE-78N-Day
MeteobridgeWeb InterfaceCVE-2025-4008CWE-78N-Day
D-LinkDNS-320CVE-2020-25506CWE-78N-Day
DigieverDS-2105 ProCVE-2023-52163CWE-78N-Day
NetgearDGN1000CVE-2024-12847CWE-78N-Day
D-LinkMultiple ProductsCVE-2024-10914CWE-78N-Day
EdimaxRE11S RouterCVE-2025-22905CWE-78N-Day
QNAPVioStor NVRCVE-2023-47565CWE-78N-Day
D-LinkDIR-816CVE-2022-37129CWE-78N-Day
GNUBash (ShellShock)CVE-2014-6271CWE-78N-Day
DasanGPON Home RouterCVE-2018-10561CWE-287N-Day
Four-FaithIndustrial RoutersCVE-2024-12856CWE-78N-Day
TP-LinkArcher AX21CVE-2023-1389CWE-78N-Day
D-LinkMultiple ProductsCVE-2019-16920CWE-78N-Day
TendaRouter (fromNetToolGet)CVE-2025-7414CWE-78N-Day
TendaRouter (deviceName)CVE-2020-10987CWE-78N-Day
LB-LINKMultiple RoutersCVE-2023-26801CWE-78N-Day
LinksysE-Series Multiple RoutersCVE-2025-34037CWE-78N-Day
AVTECHCCTVCVE-2024-7029CWE-78N-Day
TOTOLINKX2000RCVE-2025-5504CWE-78N-Day
ZyXELP660HN-T1ACVE-2017-18368CWE-78N-Day
Hytec InterHWL-2511-SSCVE-2022-36553CWE-78N-Day
BelkinPlay N750CVE-2014-1635CWE-120N-Day
TRENDnetTEW-411BRPplusCVE-2023-51833CWE-78N-Day
TP-LinkTL-WR840NCVE-2018-11714CWE-78N-Day
D-LinkDIR820LA1_FW105B03CVE-2023-25280CWE-78N-Day
Billion5200W-T RouterCVE-2017-18369CWE-78N-Day
CiscoMultiple ProductsCVE-2019-1663CWE-119N-Day
TOTOLINKRouter (setWizardCfg)CVE-2024-1781CWE-78N-Day

“The latest RondoDox botnet campaign represents a significant evolution in automated network exploitation, demonstrating how threat actors continue to weaponize both publicly disclosed vulnerabilities and zero-day exploits discovered at security competitions like Pwn2Own.” states Trend Micro. “The campaign’s shotgun approach of targeting more than 50 vulnerabilities across over 30 vendors underscores the persistent risks facing organizations that maintain internet-exposed network infrastructure without adequate security controls.”

Even when vulnerabilities are reported and patched, attackers exploit them faster than before. Organizations that delay updates or don’t track their devices give threats like RondoDox a chance to stay in their systems.

“Moving forward, defenders must adopt a proactive security posture that includes regular vulnerability assessments, network segmentation to limit lateral movement, restrict internet exposure, and continuous monitoring for signs of compromise.” concludes the report.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)