Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities
Essential information
- Published
- 26/11/2025 09:54
- Modified
- 21/12/2025 18:05
- Tags
- 2025-11-26 CVE-2013-1599 CVE-2014-3206 CVE-2020-10987 CVE-2020-9054 CVE-2022-36553 CVE-2022-40619 CVE-2023-1389 CVE-2023-23333 CVE-2023-41011 CVE-2024-10914 CVE-2024-3721 CVE-2025-34043 CVE-2025-4008 CVE-2025-9528 botnet command injection iot mirai mirai variant multi-platform residential infrastructure rondodox shell script
- Related entities
- 23 vulnerabilities (cve), 26 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware
Description
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Vulnerabilities (CVE) (23)
Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary …
- Published
- 25/03/2022
- Modified
- 21/12/2025
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …
- Attack vector
- Network
- Published
- 29/04/2025
- Modified
- 21/12/2025
FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of …
- Attack vector
- NETWORK
- Published
- 20/12/2025
- Modified
- 09/03/2026
There is a command injection vulnerability in SolarView Compact through 6.00, attackers can execute commands by bypassing internal restrictions through downloader.php.
- Attack vector
- NETWORK
- Published
- 06/02/2023
- Modified
- 21/12/2025
The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application …
- Attack vector
- Adjacent
- Published
- 02/10/2025
- Modified
- 21/12/2025
The WP Meta SEO WordPress plugin before 4.5.5 does not validate image file paths before attempting to manipulate the image files, leading …
- Attack vector
- NETWORK
- Published
- 10/04/2023
- Modified
- 21/12/2025
Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter.
- Published
- 03/11/2021
- Modified
- 20/12/2025
A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430 firmware 1.02, DCS-5605/5635 1.01, DCS-1100L/1130L 1.04, DCS-1100/1130 1.03, …
- Attack vector
- NETWORK
- Published
- 28/01/2020
- Modified
- 21/12/2025
Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …
- Attack vector
- Network
- Published
- 13/12/2022
- Modified
- 20/12/2025
PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 27/06/2017
- Modified
- 22/04/2026
ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
- Published
- 03/11/2021
- Modified
- 21/12/2025
Command Execution vulnerability in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code via …
- Attack vector
- NETWORK
- Published
- 14/09/2023
- Modified
- 21/12/2025
Observables (26)
-
192.183.232.142 -
74.194.191.52 -
38.59.219.27 -
83.252.42.112 -
http://74.194.191.52/rondo.mips||curl -
http://74.194.191.52/rondo.mips||busybox -
http://74.194.191.52/rondo.mips -
8634f53097f511dd1b7c253a0fbc4bc468e3ee38abd0490a39dd92edaee905de -
a65e3438103d31ccb213083b2b6ef40b558580b4246251b558fc68e6a2a2ba92 -
2af74246497c671cc9976cd9919fdc4beaa459e9b4b30a42f561b45919da950b -
470a74b888617299820acbe2daf03001eca7dc64a7002cd00beb163b3663187e
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·