RondoDox Botnet Breaches Next.js Servers via React2Shell Flaw

A significant cybersecurity threat has emerged as the RondoDox botnet actively exploits the critical React2Shell vulnerability to compromise Next.js servers. This campaign involves deploying malicious software and cryptocurrency miners on infected systems. The botnet, first identified by researchers in mid-2025, is known for its broad attacks leveraging known security flaws. Recent analysis reveals its expansion to target a separate critical vulnerability in the XWiki Platform, demonstrating its evolving and aggressive nature.

According to a new threat intelligence report, RondoDox initiated widespread scanning for susceptible Next.js servers in early December, followed by the deployment of its botnet clients just seventy-two hours later. The core of this attack hinges on the React2Shell flaw, officially tracked as CVE-2025-55182. This is a severe security weakness that allows for unauthenticated remote code execution through a simple HTTP request. It impacts any framework utilizing the React Server Components ‘Flight’ protocol, with Next.js being a primary target.

This particular vulnerability has attracted attention from various malicious groups. North Korean state-sponsored hackers have previously used React2Shell to install a sophisticated remote access trojan called EtherRAT on victim networks. The scale of the exposure is considerable; internet monitoring organizations have identified more than 94,000 publicly accessible assets that remain vulnerable to this exploit as of late December.

The botnet’s operations throughout the year have progressed through several distinct phases. It began with reconnaissance and testing activities in the spring, moved into automated exploitation of web applications by early summer, and has now entered a period of large-scale deployment focused on Internet of Things devices. In relation to the current Next.js attacks, researchers observed a sharp increase in focused exploitation efforts, with the botnet launching more than forty separate exploit attempts within a single week in December.

Alongside these server attacks, RondoDox continues its hourly exploitation waves targeting vulnerable IoT routers from manufacturers like Linksys and Wavlink. This dual-pronged approach aims to recruit both servers and consumer networking devices into its botnet army. After identifying a potentially vulnerable Next.js server, the botnet delivers a suite of payloads. These include a cryptocurrency miner, a dedicated botnet loader and health-checking utility, and a variant of the notorious Mirai malware.

The loader component, in particular, performs several aggressive actions to secure its hold on an infected machine. It actively seeks out and removes any competing malware, establishes persistence by modifying system scheduling files, and terminates any non-approved processes at regular forty-five-second intervals. This ensures the botnet client maintains control and maximizes resource availability for its operations.

Security experts recommend several defensive measures for organizations. Critical steps include auditing and promptly patching Next.js Server Actions to address the underlying vulnerability. Network segmentation is also highly advised, suggesting that IoT devices should be isolated on dedicated virtual LANs separate from core business systems. Furthermore, organizations should implement robust monitoring for unusual or unauthorized processes executing on servers and network endpoints to detect potential infections early.

(Source: Bleeping Computer)