Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities
Essential information
- Published
- 26/11/2025 09:54
- Modified
- 21/12/2025 18:05
- Tags
- 2025-11-26 CVE-2013-1599 CVE-2014-3206 CVE-2020-10987 CVE-2020-9054 CVE-2022-36553 CVE-2022-40619 CVE-2023-1389 CVE-2023-23333 CVE-2023-41011 CVE-2024-10914 CVE-2024-3721 CVE-2025-34043 CVE-2025-4008 CVE-2025-9528 botnet command injection iot mirai mirai variant multi-platform residential infrastructure rondodox shell script
- Related entities
- 23 vulnerabilities (cve), 26 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware
Description
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Vulnerabilities (CVE) (23)
Multiple Zyxel network-attached storage (NAS) devices contain a pre-authentication command injection vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary …
- Published
- 25/03/2022
- Modified
- 21/12/2025
SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries …
- Attack vector
- Network
- Published
- 29/04/2025
- Modified
- 21/12/2025
FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of …
- Attack vector
- NETWORK
- Published
- 20/12/2025
- Modified
- 09/03/2026
There is a command injection vulnerability in SolarView Compact through 6.00, attackers can execute commands by bypassing internal restrictions through downloader.php.
- Attack vector
- NETWORK
- Published
- 06/02/2023
- Modified
- 21/12/2025
The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application …
- Attack vector
- Adjacent
- Published
- 02/10/2025
- Modified
- 21/12/2025
The WP Meta SEO WordPress plugin before 4.5.5 does not validate image file paths before attempting to manipulate the image files, leading …
- Attack vector
- NETWORK
- Published
- 10/04/2023
- Modified
- 21/12/2025
Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter.
- Published
- 03/11/2021
- Modified
- 20/12/2025
A Command Injection vulnerability exists in the /var/www/cgi-bin/rtpd.cgi script in D-Link IP Cameras DCS-3411/3430 firmware 1.02, DCS-5605/5635 1.01, DCS-1100L/1130L 1.04, DCS-1100/1130 1.03, …
- Attack vector
- NETWORK
- Published
- 28/01/2020
- Modified
- 21/12/2025
Multiple versions of Fortinet FortiOS SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute arbitrary …
- Attack vector
- Network
- Published
- 13/12/2022
- Modified
- 20/12/2025
PHPUnit allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "<?php " substring, as demonstrated by …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 27/06/2017
- Modified
- 22/04/2026
ThinkPHP contains an unspecified vulnerability that allows for remote code execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command.
- Published
- 03/11/2021
- Modified
- 21/12/2025
Command Execution vulnerability in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code via …
- Attack vector
- NETWORK
- Published
- 14/09/2023
- Modified
- 21/12/2025
Observables (26)
-
c789f239a9cf039752e3926ee3b4387b3f6a1f6657531277caebf90685b018a2 -
df9f756f355d1122e46ce12bb84553c89cdab71c6402a257b78bc768578f51c7 -
c987e85b19c6462b06615a61998618c0e7d22ac5e38034e53ef0e34bd452464d -
f11ede0c682e818357943a166239867a19b0c1d321e84213e28e21beb2c49c87 -
f0a73797caa35d4d62a23358fa8102d6c434cfc5177623d5dfd2a3efaff66aae -
3852442d56b08eabb8060f6b72234ff0a5400b89dddf31560b2dc5d8b16c29fa -
e683864f4016b24b164ebaa5d900963b730a1df45bcbf9fa947b644d673dbc21 -
69a17194dba061f56ec3a23debfa1d3fdee7dd92789af17038387b294093aa5d -
17be568b6b2acb3b237c6dc81b3692976bb83eea76a7a26fd405805d34901016 -
3a4afea2c16905816b922229dc5d03311d58c470fa4580dcd9248302bcdfbdc4 -
81200976b8717c340041eee6ff051e1a87f8f73d86a9e17465b34be4c9488839 -
032d7b946259add6db097d3ee4375caffe2c7dcf7da81e72c32eaa24b3bde164
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Techniques (MITRE) (20)
-
Process Discovery MITRE
-
Data from Information Repositories MITRE
-
Valid Accounts MITRE
-
Network Denial of Service MITRE
-
Brute Force MITRE
-
Masquerading MITRE
-
Indicator Removal MITRE
-
Exploitation for Privilege Escalation MITRE
-
Impair Defenses MITRE
-
Obfuscated Files or Information MITRE
-
System Services MITRE
-
Exploit Public-Facing Application MITRE