RondoDox Botnet Exploits React2Shell to Hijack Thousands of Nextjs Servers Worldwide

Listen to this Post

Featured Image

Introduction: A New Wave of Server-Side Exploitation

The global threat landscape has entered a more dangerous phase as botnet operators increasingly weaponize modern web frameworks instead of legacy software alone. One of the most alarming examples of this shift is the RondoDox botnet, which has now been observed actively exploiting the critical React2Shell vulnerability (CVE-2025-55182). By targeting Next.js servers that rely on React Server Components, RondoDox demonstrates how a single architectural weakness can cascade into mass compromise, malware deployment, and cryptomining at internet scale.

Background: What Is RondoDox and Why It Matters

RondoDox is not a newly formed threat, but its evolution in 2025 marks a significant escalation. First documented by Fortinet in July 2025, the botnet quickly distinguished itself through its ability to exploit multiple known vulnerabilities in coordinated, global campaigns. Unlike opportunistic malware, RondoDox operates with structured phases, automated tooling, and a clear objective: building and maintaining a massive, resilient botnet across servers and IoT devices alike.

Vulnerability Focus: Understanding React2Shell

At the center of this campaign is React2Shell, an unauthenticated remote code execution vulnerability affecting frameworks that implement the React Server Components “Flight” protocol. Next.js, one of the most widely used modern web frameworks, is among the most exposed. The flaw can be triggered with a single HTTP request, allowing attackers to execute arbitrary commands on the server without credentials, dramatically lowering the barrier for exploitation.

Timeline: When RondoDox Turned to Next.js

According to a detailed report by CloudSEK, RondoDox began scanning for vulnerable Next.js servers on December 8. Within just three days, the botnet shifted from reconnaissance to active exploitation, deploying botnet clients onto compromised servers. This rapid transition highlights a high level of automation and confidence in the reliability of the exploit.

Widespread Exposure: The Scale of the Problem

The scope of the threat is amplified by the sheer number of exposed systems. As of December 30, the Shadowserver Foundation reported more than 94,000 internet-facing assets still vulnerable to React2Shell. This level of exposure provides botnet operators with a vast attack surface, enabling them to selectively target high-value systems while still compromising thousands of others opportunistically.

Prior Exploits: A Pattern of Aggression

React2Shell is not the first critical flaw abused by RondoDox. In November, VulnCheck identified new variants of the botnet exploiting CVE-2025-24893, a critical remote code execution vulnerability in the XWiki Platform. This pattern confirms that RondoDox is designed to rapidly integrate newly disclosed n-day vulnerabilities into its exploitation pipeline.

Threat Actor Overlap: React2Shell Beyond RondoDox

The danger of React2Shell is underscored by its use by multiple threat actors. North Korean hacking groups have already leveraged the flaw to deploy a new malware family known as EtherRAT. This convergence suggests that React2Shell has become a high-value exploit primitive across state-sponsored and criminal ecosystems alike.

Operational Phases: How RondoDox Evolves

CloudSEK researchers identified three distinct operational phases in RondoDox’s 2025 activity. The first phase, from March to April, focused on reconnaissance and vulnerability testing. The second phase, from April to June, emphasized automated exploitation of web applications. The third and current phase, beginning in July, centers on large-scale IoT botnet deployment that continues to this day.

Escalation in December: React2Shell Takes Center Stage

In December alone, RondoDox launched more than 40 React2Shell exploit attempts within just six days. This sharp increase indicates a strategic pivot, with the botnet prioritizing this vulnerability as a reliable entry point into modern web infrastructure.

IoT Expansion: Hourly Exploitation Waves

Beyond servers, RondoDox continues to aggressively expand its footprint through IoT devices. The botnet conducts hourly exploitation waves targeting Linksys, Wavlink, and other consumer and enterprise-grade routers. Each successful compromise adds another node to the botnet, strengthening its capacity for distributed attacks.

Payload Deployment: What RondoDox Installs

Once access is gained, RondoDox deploys a carefully structured set of payloads. These include a cryptominer identified as “/nuts/poop,” a botnet loader and health-check component named “/nuts/bolts,” and a Mirai-based variant located at “/nuts/x86.” Each component serves a distinct role in monetization, persistence, and control.

Persistence and Control: Inside the “Bolts” Module

The “bolts” component is particularly aggressive. It removes competing botnet malware, enforces persistence by modifying /etc/crontab, and terminates any non-whitelisted processes every 45 seconds. This ensures that RondoDox maintains exclusive control over the infected system and maximizes resource availability.

Defensive Guidance: What Organizations Are Told to Do

CloudSEK recommends a multi-layered defense strategy to mitigate RondoDox activity. Key measures include auditing and patching Next.js Server Actions, isolating IoT devices into dedicated virtual LANs, and continuously monitoring systems for suspicious processes or unauthorized scheduled tasks.

Summary of the Original Findings

The original report outlines how the RondoDox botnet has evolved into a large-scale, highly automated threat capable of exploiting modern web frameworks and IoT infrastructure simultaneously. It explains how React2Shell, a critical unauthenticated RCE vulnerability in React Server Components, has become a primary attack vector against Next.js servers. The article details the botnet’s phased operational history throughout 2025, highlighting reconnaissance, automated exploitation, and mass IoT enrollment. It emphasizes the rapid escalation observed in December, when RondoDox launched dozens of React2Shell exploit attempts in a matter of days. The report also breaks down the malware payloads deployed after compromise, including cryptominers, botnet loaders, and Mirai variants. Finally, it underscores the scale of exposure, with tens of thousands of vulnerable assets still accessible online, and provides defensive recommendations for organizations seeking to reduce risk.

What Undercode Say: A Structural Failure in Modern Web Security

The RondoDox campaign exposes a deeper issue that extends beyond a single vulnerability or botnet. Modern web frameworks like Next.js prioritize developer productivity and performance, often introducing complex server-side abstractions that blur the line between frontend and backend security models. React Server Components are powerful, but their attack surface is still poorly understood by many organizations.

What Undercode Say: The Danger of “One-Request RCE”

Unauthenticated RCE flaws exploitable with a single HTTP request represent the most dangerous class of vulnerabilities on the internet today. They eliminate friction for attackers, enable full automation, and scale effortlessly across thousands of targets. React2Shell fits this profile perfectly, making it inevitable that multiple threat actors would adopt it rapidly.

What Undercode Say: Botnets Are No Longer Just IoT

RondoDox demonstrates that modern botnets are hybrid by design. Servers, cloud workloads, and IoT devices now coexist within the same command-and-control ecosystem. This convergence allows attackers to leverage high-bandwidth servers for mining and control, while using IoT devices for resilience and distributed attacks.

What Undercode Say: Persistence Is the Real Threat

The most alarming aspect of RondoDox is not initial compromise, but persistence. By aggressively removing competitors and enforcing cron-based survival mechanisms, the botnet ensures long-term control. This turns temporary misconfigurations into prolonged security incidents with lasting financial and operational impact.

What Undercode Say: Patch Latency Is the Attacker’s Ally

The continued presence of over 94,000 vulnerable assets indicates that patch latency remains unacceptably high. In fast-moving ecosystems like JavaScript frameworks, security updates are often delayed due to fear of breaking production systems. Attackers are exploiting this hesitation at scale.

What Undercode Say: React2Shell as a Precedent

React2Shell may become a precedent-setting vulnerability. Its exploitation will likely influence how future server-side rendering and component-based architectures are designed, audited, and deployed. Without stricter isolation and validation, similar flaws are almost guaranteed to emerge.

What Undercode Say: Security Ownership Must Shift

Framework-level vulnerabilities challenge traditional security ownership models. Responsibility no longer lies solely with infrastructure teams, but also with application developers who must understand how framework internals translate into real-world risk. RondoDox thrives where this gap exists.

What Undercode Say: Detection Over Prevention

Given the speed of exploitation, organizations must assume that prevention alone will fail. Runtime monitoring, anomaly detection, and rapid incident response are becoming just as critical as patching. RondoDox’s behavior, such as frequent process killing and cron manipulation, offers detectable signals that defenders should prioritize.

Fact Checker Results

✅ RondoDox has been actively exploiting React2Shell against Next.js servers in December 2025.
✅ React2Shell enables unauthenticated remote code execution via a single HTTP request.
❌ There is no evidence that all vulnerable servers have been patched or mitigated globally.

Prediction

🔮 React2Shell exploitation will continue well into 2026 as long as unpatched Next.js deployments remain exposed.
🔮 Hybrid botnets like RondoDox will increasingly target modern web frameworks, not just traditional IoT devices.
🔮 Future React and Next.js releases will face stronger pressure to redesign server-side component security models.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.quora.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon