216.73.217.22

RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities

· Published 11/03/2026 15:49 · Modified 16/03/2026 09:52

Export JSON

Essential information

Published
11/03/2026 15:49
Modified
16/03/2026 09:52
Tags
2026-03-11 botnet ddos iot rondodox vulnerability exploitation xmrig
Related entities
12 vulnerabilities (cve), 29 observables, 1 intrusion sets (apt), 16 techniques (mitre), 2 malware, 1 others

Description

The has emerged as a significant threat, exploiting 174 different vulnerabilities since May 2025. It primarily targets devices and internet-exposed services for DoS attacks. The 's infrastructure includes exploiting and hosting components, with evidence suggesting the use of compromised residential IPs. 's operators have shown a rapid adoption of newly disclosed vulnerabilities, sometimes exploiting them within days of publication. The 's evolution includes a shift from a shotgun approach using numerous exploits to a more focused strategy targeting recent, critical vulnerabilities. The malware shares similarities with Mirai but focuses solely on DoS attacks. This threat highlights the importance of exposure management in cybersecurity.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (12)

CVE-2025-37164 KEV
10.0 Critical

Hewlett Packard Enterprise (HPE) OneView contains a code injection vulnerability that allows a remote unauthenticated user to perform remote code execution.

Attack vector
NETWORK
Published
16/12/2025
Modified
16/03/2026
Undergoing Analysis
CVE-2025-47812 KEV
10.0 Critical

Wing FTP Server contains an improper neutralization of null byte or NUL character vulnerability that can allow injection of arbitrary Lua code …

Attack vector
Network
Published
14/07/2025
Modified
16/03/2026
CVE-2025-24016 KEV
9.9 Critical

Wazuh is a free and open source platform used for threat prevention, detection, and response. Starting in version 4.4.0 and prior to …

Attack vector
Network
Published
10/06/2025
Modified
21/12/2025
Awaiting Analysis
CVE-2025-52089
8.8 High

A hidden remote support feature protected by a static secret in TOTOLINK N300RB firmware version 8.54 allows an authenticated attacker to execute …

Attack vector
ADJACENT_NETWORK
Published
11/07/2025
Modified
16/03/2026
CVE-2025-32756 KEV
9.8 Critical

Fortinet FortiFone, FortiVoice, FortiNDR and FortiMail contain a stack-based overflow vulnerability that may allow a remote unauthenticated attacker to execute arbitrary code …

Attack vector
Network
Published
14/05/2025
Modified
14/01/2026
CVE-2025-48827
10.0 Critical

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 …

Attack vector
NETWORK
Published
27/05/2025
Modified
16/03/2026
Awaiting Analysis
CVE-2025-57296
6.5 Medium

Tenda AC6 router firmware 15.03.05.19 contains a command injection vulnerability in the formSetIptv function, which processes requests to the /goform/SetIPTVCfg web interface. …

Attack vector
NETWORK
Published
19/09/2025
Modified
16/03/2026
Received
CVE-2025-20281 KEV
10.0 Critical

A vulnerability in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code …

Attack vector
Network
Published
28/07/2025
Modified
21/12/2025
Awaiting Analysis
CVE-2023-46604 KEV
10.0 Critical

Apache ActiveMQ contains a deserialization of untrusted data vulnerability that may allow a remote attacker with network access to a broker to …

Attack vector
Network
Published
02/11/2023
Modified
21/12/2025
CVE-2025-55182 KEV
10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector
Network
Published
05/12/2025
Modified
29/05/2026
Analyzed
CVE-2025-62593
9.4 Critical

Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via …

Published
16/03/2026
Modified
16/03/2026
Awaiting Analysis
CVE-2025-24893 KEV
9.8 Critical

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any guest can perform arbitrary …

Attack vector
Network
Published
30/10/2025
Modified
28/01/2026
Awaiting Analysis

Observables (29)

  • 45.8.145.203
  • 192.253.248.5
  • 192.183.232.142
  • 45.135.194.32
  • 45.135.194.34
  • 192.159.99.95
  • 45.135.194.11
  • 99.241.94.234
  • 78.153.149.90
  • 45.125.66.100
  • 23.228.188.126
  • 45.153.34.156
  • 74.194.191.52
  • 41.231.37.153
  • 154.91.254.95
  • 87.121.84.31
  • 70.184.13.47
  • 14.103.145.202
  • 38.59.219.27
  • 169.255.72.169
  • 37.32.15.8
  • 87.121.84.75
  • 87.121.84.132
  • 14.103.145.211
  • 83.252.42.112
  • 45.156.87.165
  • 83.150.218.93
  • ce6375a4077edaf2f83847e3cefd8eb9535da249806d3214b22a0d50891c7b4c
  • 691e4ec280aaff33270f33a9bb48a3fc38e2bd91c7359e687e3f0bd682f20b54

Intrusion sets (APT) (1)

  • RondoDox
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 18:21 · Modified 16/03/2026 10:51

Techniques (MITRE) (16)

Malware (2)

  • RondoDox
    Family
    Published 21/05/2026 23:03 · Modified 21/05/2026 23:03
  • XMRig
    Family
    Published 28/05/2026 10:56 · Modified 28/05/2026 10:56

Others (1)

  • x1337.cc

External references