RondoDox v2: Evolution of RondoDox Botnet with 650% More Exploits

216.73.217.22

RondoDox v2: Evolution of RondoDox Botnet with 650% More Exploits

· Published 10/11/2025 11:06 · Modified 10/11/2025 11:56

Essential information

Published: 10/11/2025 11:06
Modified: 10/11/2025 11:56
Tags: 2025-11-10 CVE-2014-1635 CVE-2014-6271 CVE-2015-2051 CVE-2016-6277 CVE-2017-18368 CVE-2017-18369 CVE-2018-10561 CVE-2018-11714 CVE-2019-16920 CVE-2020-10987 CVE-2020-25506 CVE-2020-27867 CVE-2021-41773 CVE-2021-42013 CVE-2022-36553 CVE-2022-37129 CVE-2022-44149 CVE-2023-1389 CVE-2023-25280 CVE-2023-26801 CVE-2023-47565 CVE-2023-51833 CVE-2023-52163 CVE-2024-10914 CVE-2024-12847 CVE-2024-12856 CVE-2024-3721 CVE-2024-7029 CVE-2025-1829 CVE-2025-22905 CVE-2025-34037 CVE-2025-4008 CVE-2025-5504 CVE-2025-7414 botnet command injection ddos enterprise exploit iot multi-architecture obfuscation persistence rondodox
Related entities: 35 vulnerabilities (cve), 20 observables, 1 intrusion sets (apt), 1 malware, 3 others

Description

The RondoDox botnet has undergone a significant evolution, expanding its capabilities and target range. This new variant, RondoDox v2, demonstrates a 650% increase in exploitation vectors, moving beyond niche DVR targeting to include enterprise applications. Key features include over 75 exploitation vectors, new command and control infrastructure utilizing compromised residential IPs, enhanced obfuscation and persistence mechanisms, and an expanded ecosystem of targets. The botnet now employs a multi-architecture approach, supporting 16 different binary variants to maximize its reach across diverse device types.

Related entities

CVE-2025-34037

10.0 Critical

An OS command injection vulnerability exists in various models of E-Series Linksys routers via the /tmUnblock.cgi and /hndUnblock.cgi endpoints over HTTP on …

Published: 24/06/2025
Modified: 20/03/2026

CVE-2022-37129

8.8 High

D-Link DIR-816 A2_v1.10CNB04.img is vulnerable to Command Injection via /goform/SystemCommand. After the user passes in the command parameter, it will be spliced …

Attack vector: NETWORK
Published: 01/09/2022
Modified: 21/12/2025

CVE-2022-36553

9.8 Critical

Hytec Inter HWL-2511-SS v1.05 and below was discovered to contain a command injection vulnerability via the component /www/cgi-bin/popen.cgi.

Attack vector: NETWORK
Published: 30/08/2022
Modified: 21/12/2025

CVE-2020-27867

6.8 Medium

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of NETGEAR R6020, R6080, R6120, R6220, R6260, R6700v2, R6800, R6900v2, …

Attack vector: ADJACENT_NETWORK
Published: 12/02/2021
Modified: 21/12/2025

CVE-2018-11714

Published: 20/12/2025
Modified: 21/12/2025

CVE-2017-18369

Published: 20/12/2025
Modified: 21/12/2025

CVE-2014-1635

10.0 Critical

Buffer overflow in login.cgi in MiniHttpd in Belkin N750 Router with firmware before F9K1103_WW_1.10.17m allows remote attackers to execute arbitrary code via …

Published: 12/11/2014
Modified: 07/05/2026

CVE-2025-4008 KEV

9.4 Critical

The Meteobridge web interface let meteobridge administrator manage their weather station data collection and administer their meteobridge system through a web application …

Attack vector: Adjacent
Published: 02/10/2025
Modified: 21/12/2025

CVE-2025-7414

8.8 High

A vulnerability classified as critical was found in Tenda O3V2 1.0.0.12(3880). This vulnerability affects the function fromNetToolGet of the file /goform/setPingInfo of …

Attack vector: Network
Complexity: Low
Published: 10/07/2025
Modified: 29/04/2026

CVE-2025-5504

5.3 Medium

A vulnerability has been found in TOTOLINK X2000R 1.0.0-B20230726.1108 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formWsc. …

Attack vector: NETWORK
Published: 03/06/2025
Modified: 21/12/2025

CVE-2022-44149

8.8 High

The web service on Nexxt Amp300 ARN02304U8 42.103.1.5095 and 80.103.2.5045 devices allows remote OS command execution by placing &telnetd in the JSON …

Attack vector: NETWORK
Published: 06/01/2023
Modified: 21/12/2025

CVE-2025-1829

6.3 Medium

A vulnerability was found in TOTOLINK X18 9.1.0cu.2024_B20220329. It has been declared as critical. This vulnerability affects the function setMtknatCfg of the …

Attack vector: NETWORK
Published: 02/03/2025
Modified: 21/12/2025

CVE-2020-25506 KEV

D-Link DNS-320 device contains a command injection vulnerability in the sytem_mgr.cgi component that may allow for remote code execution.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2023-52163 KEV

8.8 High

Digiever DS-2105 Pro 3.1.0.71-11 devices allow time_tzsetup.cgi Command Injection. NOTE: This vulnerability only affects products that are no longer supported by the …

Attack vector: NETWORK
Published: 03/02/2025
Modified: 31/12/2025

CVE-2020-10987 KEV

Tenda AC1900 Router AC15 Model contains an unspecified vulnerability that allows remote attackers to execute system commands via the deviceName POST parameter.

Published: 03/11/2021
Modified: 20/12/2025

CVE-2023-47565 KEV

8.0 High

QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network.

Attack vector: Adjacent
Published: 21/12/2023
Modified: 28/02/2026

CVE-2025-22905

9.8 Critical

RE11S v1.11 was discovered to contain a command injection vulnerability via the command parameter at /goform/mp.

Attack vector: NETWORK
Published: 16/01/2025
Modified: 21/12/2025

CVE-2024-12847

9.8 Critical

NETGEAR DGN1000 before 1.1.00.48 is vulnerable to an authentication bypass vulnerability. A remote and unauthenticated attacker can execute arbitrary operating system commands …

Attack vector: Network
Published: 10/01/2025
Modified: 21/12/2025

CVE-2024-12856

7.2 High

The Four-Faith router models F3x24 and F3x36 are affected by an operating system (OS) command injection vulnerability. At least firmware version 2.0 …

Attack vector: NETWORK
Published: 27/12/2024
Modified: 21/12/2025

CVE-2024-10914

8.1 High

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by …

Attack vector: NETWORK
Published: 06/11/2024
Modified: 21/12/2025

CVE-2023-25280 KEV

9.8 Critical

D-Link DIR-820 routers contain an OS command injection vulnerability that allows a remote, unauthenticated attacker to escalate privileges to root via a …

Attack vector: Network
Published: 30/09/2024
Modified: 21/12/2025

CVE-2024-7029

8.8 High

Commands can be injected over the network and executed without authentication.

Attack vector: NETWORK
Published: 02/08/2024
Modified: 21/12/2025

CVE-2021-42013 KEV

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2014-6271 KEV

9.8 Critical

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute …

Attack vector: NETWORK
Complexity: LOW
Published: 24/09/2014
Modified: 22/04/2026

CVE-2019-16920 KEV

Multiple D-Link routers contain a command injection vulnerability which can allow attackers to achieve full system compromise.

Published: 25/03/2022
Modified: 21/12/2025

CVE-2016-6277 KEV

8.8 High

NETGEAR confirmed multiple routers allow unauthenticated web pages to pass form input directly to the command-line interface, permitting remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 14/12/2016
Modified: 22/04/2026

CVE-2021-41773 KEV

9.8 Critical

Apache HTTP Server contains a path traversal vulnerability that allows an attacker to perform remote code execution if files outside directories configured …

Attack vector: Network
Published: 03/11/2021
Modified: 18/02/2026

CVE-2017-18368 KEV

Zyxel P660HN-T1A routers contain a command injection vulnerability in the Remote System Log forwarding function, which is accessible by an unauthenticated user …

Published: 07/08/2023
Modified: 20/12/2025

CVE-2018-10561 KEV

Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10562, exploitation can allow an attacker to perform remote code execution.

Published: 31/03/2022
Modified: 20/12/2025

CVE-2015-2051 KEV

8.8 High

D-Link DIR-645 Wired/Wireless Router allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.

Attack vector: Adjacent
Complexity: LOW
Published: 23/02/2015
Modified: 22/04/2026

CVE-2023-1389 KEV

8.8 High

TP-Link Archer AX-21 contains a command injection vulnerability that allows for remote code execution.

Attack vector: Adjacent
Published: 01/05/2023
Modified: 21/12/2025

CVE-2023-26801

9.8 Critical

LB-LINK BL-AC1900_2.0 v1.0.1, LB-LINK BL-WR9000 v2.4.9, LB-LINK BL-X26 v1.2.5, and LB-LINK BL-LTE300 v1.0.8 were discovered to contain a command injection vulnerability via …

Attack vector: NETWORK
Published: 26/03/2023
Modified: 21/12/2025

CVE-2023-51833

8.1 High

A command injection issue in TRENDnet TEW-411BRPplus v.2.07_eu that allows a local attacker to execute arbitrary code via the data1 parameter in …

Attack vector: NETWORK
Published: 25/01/2024
Modified: 21/12/2025

CVE-2024-3721

6.3 Medium

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …

Attack vector: NETWORK
Published: 13/04/2024
Modified: 21/12/2025

CVE-2017-10271 KEV

7.5 High

Oracle Corporation WebLogic Server contains a vulnerability that allows for remote code execution.

Attack vector: NETWORK
Complexity: LOW
Published: 19/10/2017
Modified: 22/04/2026