At the core of RondoDox’s approach is the simultaneous firing of dozens of exploit attempts — rather than meticulously selecting a single vulnerability. The attackers cast a wide net, hoping one of the exploits succeeds. This method allows the botnet to compromise unmanaged, exposed devices at scale. The Trend Zero Day Initiative and Trend Micro’s research team have flagged active exploitation since June 2025, including several vulnerabilities now listed in the U. S. CISA’s Known Exploited Vulnerabilities catalogue.
One of the earliest observed setbacks in the campaign occurred on 15 June 2025, when RondoDox leveraged CVE-2023-1389 — a command-injection flaw in the WAN interface of the TP-Link Archer AX21 router. That issue had first been demonstrated at Pwn2Own Toronto 2022. From that point, the botnet rapidly expanded its toolkit to include two additional high-risk exploits: CVE-2024-3721, targeting TBK DVRs, and CVE-2024-12856 in Four-Faith routers.
Today, the RondoDox arsenal reportedly comprises 56 vulnerabilities, of which 50 are command injection flaws. Other classes include buffer overflows, authentication bypasses, and path traversal issues. Many devices compromised by the botnet run on legacy or poorly maintained firmware, making them ripe targets. Eighteen of the flaws exploited lack CVE identifiers, illustrating that the attackers are scanning deeply across firmware, custom code, and lesser-known components.
While the exploit shotgun approach is noisy, it offers considerable reach. RondoDox does not tailor payloads to each target but deploys a multi-architecture loader capable of supporting Mirai/Morte variants, enabling remote control, proxy leasing, or participation in distributed denial-of-service campaigns. The malware also disguises its traffic to resemble legitimate services — mimicking game platforms, VPN protocols, STUN/DTLS flows, and other real-time traffic — making detection harder for network defenders.
Devices from vendors including QNAP, D-Link, Netgear, Linksys, TOTOLINK, ASMAX, Brickcom, LILIN, and TVT have all been identified in the victim list. Some exploits date back years or even decades, such as variants of Shellshock. Analysts warn that many routers and network devices are deployed and forgotten, without timely patching or firmware updates — the precise conditions RondoDox seeks to exploit.
Security firms and defenders caution that organizations with internet-facing network gear face high risk of infiltration, data exfiltration, or disruption. Typical mitigation strategies include immediate patching of affected firmware, network segmentation to isolate vulnerable infrastructure, enforcement of unique and strong credentials, removal of unsupported devices, and continuous behavioural monitoring for anomalies. In many cases, defenders have a narrow window: the “exploit shotgun” attack model can find and compromise vulnerable systems faster than patch cycles can respond.
Enterprise and critical infrastructure environments are not inherently safe; the campaign’s deployment across a broad variety of device types underscores that even apparently innocuous edge gear can open pathways into larger networks. Companies with large IoT footprints are especially urged to audit device exposure and assume that any device with unused endpoints may be scanned.
Trend Micro has incorporated rules to detect or block many of the vulnerabilities exploited by RondoDox, and some security vendors now flag the loader and payload behaviors. Analysts stress threat intelligence sharing and red teaming exercises as key practices to stay ahead of evolving botnet tactics.
Topics
Technology