RondoDox botnet exploits React2Shell flaw to breach Next.js servers

Cybersecurity researchers have observed the RondoDox botnet actively exploiting the critical React2Shell vulnerability to compromise vulnerable Next.js servers. The attacks result in malware and cryptominer deployment across infected systems.

According to a report by CloudSEK, RondoDox began scanning for exposed Next.js servers on December 8, 2025, and launched its infection phase just days later. The botnet exploits React2Shell (CVE-2025-55182), an unauthenticated remote code execution flaw that can be triggered with a single HTTP request.

• React2Shell affects all frameworks implementing React Server Components and the Flight protocol, making Next.js a prime target. Within a short period in December, RondoDox launched more than 40 exploitation attempts, combining web server attacks with hourly IoT exploitation waves.

• Once access is gained, the botnet deploys multiple payloads, including a coin miner, a loader and health-check module, and a modified Mirai variant. One component removes competing malware, enforces persistence via cron jobs, and terminates non-whitelisted processes every 45 seconds.

RondoDox was first documented by Fortinet in July 2025 as a large-scale botnet exploiting multiple n-day vulnerabilities. In November, new variants emerged targeting a critical RCE flaw in XWiki.

As of late December, the Shadowserver Foundation reported more than 94,000 internet-exposed assets still vulnerable to React2Shell. The same flaw has also been exploited by other threat actors, including North Korea-linked groups deploying custom malware families.

RondoDox highlights how quickly critical RCE vulnerabilities in widely used web frameworks can be weaponized at scale. By combining Next.js server exploitation with aggressive IoT botnet expansion, the campaign poses a serious threat to modern cloud and web infrastructures.