Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities
Essential information
- Published
- 26/11/2025 09:54
- Modified
- 21/12/2025 18:05
- Tags
- 2025-11-26 CVE-2013-1599 CVE-2014-3206 CVE-2020-10987 CVE-2020-9054 CVE-2022-36553 CVE-2022-40619 CVE-2023-1389 CVE-2023-23333 CVE-2023-41011 CVE-2024-10914 CVE-2024-3721 CVE-2025-34043 CVE-2025-4008 CVE-2025-9528 botnet command injection iot mirai mirai variant multi-platform residential infrastructure rondodox shell script
- Related entities
- 23 vulnerabilities (cve), 26 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware
Description
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Vulnerabilities (CVE) (23)
A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in the board.cgi …
- Published
- 20/12/2025
- Modified
- 21/12/2025
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …
- Attack vector
- Network
- Published
- 12/06/2024
- Modified
- 21/12/2025
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via …
- Attack vector
- NETWORK
- Published
- 15/07/2020
- Modified
- 21/12/2025
Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.
- Attack vector
- NETWORK
- Published
- 30/08/2022
- Modified
- 21/12/2025
A vulnerability was determined in Linksys E1700 1.0.0.4.003. This vulnerability affects the function systemCommand of the file /goform/systemCommand. Executing manipulation of the …
- Attack vector
- Network
- Complexity
- Low
- Published
- 27/08/2025
- Modified
- 29/04/2026
- Published
- 20/12/2025
- Modified
- 21/12/2025
TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.
- Attack vector
- Adjacent
- Published
- 01/05/2023
- Modified
- 21/12/2025
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by …
- Attack vector
- NETWORK
- Published
- 06/11/2024
- Modified
- 21/12/2025
Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
- Published
- 16/05/2022
- Modified
- 20/12/2025
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security …
- Attack vector
- NETWORK
- Published
- 14/04/2022
- Modified
- 21/12/2025
A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …
- Attack vector
- NETWORK
- Published
- 13/04/2024
- Modified
- 21/12/2025
Observables (26)
-
c789f239a9cf039752e3926ee3b4387b3f6a1f6657531277caebf90685b018a2 -
df9f756f355d1122e46ce12bb84553c89cdab71c6402a257b78bc768578f51c7 -
c987e85b19c6462b06615a61998618c0e7d22ac5e38034e53ef0e34bd452464d -
f11ede0c682e818357943a166239867a19b0c1d321e84213e28e21beb2c49c87 -
f0a73797caa35d4d62a23358fa8102d6c434cfc5177623d5dfd2a3efaff66aae -
3852442d56b08eabb8060f6b72234ff0a5400b89dddf31560b2dc5d8b16c29fa -
e683864f4016b24b164ebaa5d900963b730a1df45bcbf9fa947b644d673dbc21 -
69a17194dba061f56ec3a23debfa1d3fdee7dd92789af17038387b294093aa5d -
17be568b6b2acb3b237c6dc81b3692976bb83eea76a7a26fd405805d34901016 -
3a4afea2c16905816b922229dc5d03311d58c470fa4580dcd9248302bcdfbdc4 -
81200976b8717c340041eee6ff051e1a87f8f73d86a9e17465b34be4c9488839 -
032d7b946259add6db097d3ee4375caffe2c7dcf7da81e72c32eaa24b3bde164
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·