RondoDox: From Pwn2Own Vulnerabilities to Global Exploitation | eSecurity Planet

RondoDox: From Pwn2Own Vulnerabilities to Global Exploitation

RondoDox is a fast-evolving botnet exploiting over 50 vulnerabilities across 30 vendors

Written By
Ken Underhill
Ken Underhill
Oct 14, 2025
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Security researchers from Trend Micro uncovered a rapidly expanding botnet operation known as RondoDox. 

The campaign has exploited more than 50 vulnerabilities across over 30 vendors, leveraging both newly discovered and previously demonstrated flaws from Pwn2Own security contests. 

The widespread use of RondoDox highlights the growing danger of automated network exploitation targeting routers, digital video recorders (DVRs), network video recorders (NVRs), and other internet-connected devices.

Weaponizing known vulnerabilities for botnet expansion

The first traces of RondoDox activity appeared in June 2025, when Trend Micro telemetry detected an attack leveraging CVE-2023-1389, which is a vulnerability in the TP-Link Archer AX21 Wi-Fi router. 

This flaw, involving an authentication bypass and command injection via the router’s WAN interface, had been responsibly disclosed and patched in 2023. However, RondoDox operators weaponized it to compromise internet-facing routers that remained unpatched.

This marks a recurring trend in threat activity: vulnerabilities revealed in security competitions quickly transition from theoretical demonstrations to active exploitation in the wild. 

Despite efforts to patch these flaws, the gap between disclosure and mass exploitation continues to narrow, providing botnet operators with a recurring stream of reliable attack vectors.

A stealthy botnet built to infect everything

RondoDox surfaced as a stealthy botnet campaign focusing on command-injection vulnerabilities across a wide range of devices, including routers, DVRs, NVRs, CCTV systems, and web servers. 

The malware’s primary objective is to gain shell access, execute remote commands, and drop multiarchitecture payloads.

Initial investigations by FortiGuard Labs linked RondoDox to early attacks against TBK DVRs and Four-Faith routers, exploiting CVE-2024-3721 and CVE-2024-12856

The campaign has since expanded significantly, employing a “loader-as-a-service” model that bundles RondoDox with well-known malware families such as Mirai and Morte. This hybridized infrastructure has enabled widespread distribution and made detection more complex.

Advertisement

The exploit shotgun approach

Unlike earlier, narrowly focused botnets, RondoDox uses what researchers call an “exploit shotgun” method—simultaneously firing off multiple exploits to compromise as many targets as possible. 

Its arsenal now includes dozens of CVEs affecting routers, cameras, web servers, and IoT devices from over 30 manufacturers. By casting a wide net, RondoDox maximizes infection rates and persistence across diverse environments.

Among the most heavily targeted vulnerabilities are CVE-2023-1389, CVE-2024-3721, and CVE-2024-12856.

This designation underscores their critical nature and the need for immediate patching.

RondoDox’s payload delivery follows a multi-stage process: initial exploitation of a device’s management interface, remote command execution, payload download, and system registration within the botnet. 

Once compromised, infected devices are used for data exfiltration, denial-of-service (DoS) attacks, or as launchpads for lateral movement within enterprise networks.

The vulnerability lifecycle

The RondoDox campaign reveals a critical weakness in global vulnerability management. Even with responsible disclosure and vendor patching, many organizations delay applying updates—leaving devices exposed for months or even years. 

The rapid reuse of Pwn2Own-discovered vulnerabilities demonstrates how quickly research findings can be weaponized when patch adoption lags behind.

With the growing integration of artificial intelligence into cyber operations, attackers can now automate vulnerability scanning, exploit development, and payload distribution—dramatically accelerating the time from CVE disclosure to real-world exploitation.

Furthermore, the campaign underscores the persistence of n-day exploits—attacks leveraging publicly known flaws rather than zero-days. 

As long as unpatched infrastructure remains online, botnets like RondoDox will continue to expand their reach and evolve their methods.

Advertisement

Strengthening organizational security posture

To combat RondoDox and similar campaigns, organizations must adopt a proactive and layered defense strategy. Key mitigations include:

  • Prioritize patching and visibility: Keep an updated asset inventory and quickly patch all high-risk vulnerabilities, including those in the CISA KEV catalog.
  • Strengthen network and access controls: Segment systems, enforce least privilege, use MFA, and limit internet exposure.
  • Enhance monitoring and response: Continuously detect anomalies, use threat intelligence, and maintain tested backups for rapid recovery.
  • Promote security culture and hygiene: Harden configurations, remove default credentials, and train users to recognize and prevent threats.

Together, these measures create a layered defense that reduces exposure, limits attacker movement, and strengthens organizational resilience against evolving threats.

By exploiting over 50 vulnerabilities across multiple vendors, the RondoDox campaign demonstrates the growing speed and scale of modern exploit operations. 

As attackers increasingly automate discovery and weaponization through AI and large-scale infrastructure, the window between vulnerability disclosure and exploitation continues to shrink. 

Defending against threats like RondoDox requires constant vigilance, rapid patching, and a proactive commitment to securing every layer of the network.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.