RondoDox Botnet Expands Scope With React2Shell Exploitation

RondoDox’s Widespread Impact

The RondoDox botnet is actively exploiting the React2Shell flaw (CVE-2025-55182) to target Next.js servers, deploying cryptominers and a Mirai-based botnet variant. Researchers estimate over 90,300 vulnerable servers are exposed globally, with the US having the highest concentration.

Why This Matters

Ideal security models assume prompt patching and robust access controls, but real-world deployments often lag, leaving systems vulnerable to known exploits. The potential scale of compromise with RondoDox is significant, with a single successful exploit potentially leading to widespread cryptomining operations or participation in large-scale DDoS attacks, costing organizations millions in remediation and lost productivity.

Key Insights

• 90,300: Approximate number of publicly exposed vulnerable Next.js servers (Rewterz, 2026).
• Prototype Pollution: The React2Shell vulnerability stems from deserialization flaws in Next.js Server Actions, allowing for remote code execution.
• Multi-Architecture Support: RondoDox supports binaries for x86, x86_64, MIPS, ARM, and PowerPC, widening its potential attack surface.

Practical Applications

• Use Case: CloudSEK reports organizations with internet-facing routers and IP cameras are facing automated exploitation attempts.
• Pitfall: Failing to segment IoT devices onto dedicated VLANs allows for easy lateral movement and propagation of the botnet.

References:

• https://www.darkreading.com/vulnerabilities-threats/rondodox-botnet-scope-react2shell-exploitation