Tracking RondoDox: Malware Exploiting Many IoT Vulnerabilities
Essential information
- Published
- 26/11/2025 09:54
- Modified
- 21/12/2025 18:05
- Tags
- 2025-11-26 CVE-2013-1599 CVE-2014-3206 CVE-2020-10987 CVE-2020-9054 CVE-2022-36553 CVE-2022-40619 CVE-2023-1389 CVE-2023-23333 CVE-2023-41011 CVE-2024-10914 CVE-2024-3721 CVE-2025-34043 CVE-2025-4008 CVE-2025-9528 botnet command injection iot mirai mirai variant multi-platform residential infrastructure rondodox shell script
- Related entities
- 23 vulnerabilities (cve), 26 observables, 1 intrusion sets (apt), 20 techniques (mitre), 2 malware
Description
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Vulnerabilities (CVE) (23)
A remote command injection vulnerability exists in Vacron Network Video Recorder (NVR) devices v1.4 due to improper input sanitization in the board.cgi …
- Published
- 20/12/2025
- Modified
- 21/12/2025
In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …
- Attack vector
- Network
- Published
- 12/06/2024
- Modified
- 21/12/2025
Guangzhou 1GE ONU V2801RW 1.9.1-181203 through 2.9.0-181024 and V2804RGW 1.9.1-181203 through 2.9.0-181024 devices allow remote attackers to execute arbitrary OS commands via …
- Attack vector
- NETWORK
- Published
- 15/07/2020
- Modified
- 21/12/2025
Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.
- Attack vector
- NETWORK
- Published
- 30/08/2022
- Modified
- 21/12/2025
A vulnerability was determined in Linksys E1700 1.0.0.4.003. This vulnerability affects the function systemCommand of the file /goform/systemCommand. Executing manipulation of the …
- Attack vector
- Network
- Complexity
- Low
- Published
- 27/08/2025
- Modified
- 29/04/2026
- Published
- 20/12/2025
- Modified
- 21/12/2025
TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.
- Attack vector
- Adjacent
- Published
- 01/05/2023
- Modified
- 21/12/2025
A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by …
- Attack vector
- NETWORK
- Published
- 06/11/2024
- Modified
- 21/12/2025
Spring Cloud Gateway applications are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured.
- Published
- 16/05/2022
- Modified
- 20/12/2025
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The GeoServer security …
- Attack vector
- NETWORK
- Published
- 14/04/2022
- Modified
- 21/12/2025
A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …
- Attack vector
- NETWORK
- Published
- 13/04/2024
- Modified
- 21/12/2025
Observables (26)
-
192.183.232.142 -
74.194.191.52 -
38.59.219.27 -
83.252.42.112 -
http://74.194.191.52/rondo.mips||curl -
http://74.194.191.52/rondo.mips||busybox -
http://74.194.191.52/rondo.mips -
8634f53097f511dd1b7c253a0fbc4bc468e3ee38abd0490a39dd92edaee905de -
a65e3438103d31ccb213083b2b6ef40b558580b4246251b558fc68e6a2a2ba92 -
2af74246497c671cc9976cd9919fdc4beaa459e9b4b30a42f561b45919da950b -
470a74b888617299820acbe2daf03001eca7dc64a7002cd00beb163b3663187e
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Techniques (MITRE) (20)
-
Process Discovery MITRE
-
Data from Information Repositories MITRE
-
Valid Accounts MITRE
-
Network Denial of Service MITRE
-
Brute Force MITRE
-
Masquerading MITRE
-
Indicator Removal MITRE
-
Exploitation for Privilege Escalation MITRE
-
Impair Defenses MITRE
-
Obfuscated Files or Information MITRE
-
System Services MITRE
-
Exploit Public-Facing Application MITRE