Full Report
A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions. [...]
Analysis Summary
# Vulnerability: RondoDox Botnet Exploitation of 56 N-Day Flaws in IoT Devices
## CVE Details
- **CVE ID:** CVE-2023-1389, CVE-2023-52163, CVE-2023-47565, CVE-2023-26801, CVE-2023-51833, CVE-2024-10914, CVE-2024-3721, CVE-2024-12856, CVE-2024-12847, CVE-2024-7029, CVE-2024-1781, CVE-2025-7414, CVE-2025-1829, CVE-2025-4008, CVE-2025-22905, CVE-2025-34037, CVE-2025-5504. (Note: Many specific severities and CWEs are not detailed in the provided text, only the existence of 56 exploited flaws, including these listed post-2023 n-days).
- **CVSS Score:** Not explicitly stated for individual CVEs in the text.
- **CWE:** Not explicitly stated, but involves command injection flaws and vulnerabilities in IoT/network devices.
## Affected Systems
- **Products:** TP-Link Archer AX21 Wi-Fi router, Digiever, QNAP, LB-LINK, TRENDnet, D-Link (NAS units and routers), TBK, Four-Faith, Netgear, AVTECH, TOTOLINK, Tenda, Meteobridge, Edimax, Linksys (routers), Brickcom cameras, TVT DVRs, LILIN DVRs, Fiberhome, ASMAX, and other unidentified endpoints (DVRs, NVRs, CCTV systems, web servers).
- **Versions:** Specific vulnerable versions are not universally listed, but the flaws target devices affected by the above CVEs (some dating back to Pwn2Own Toronto 2022 exploits).
- **Configurations:** Devices exposed to the internet (IoT devices, routers, servers).
## Vulnerability Description
The RondoDox botnet is actively exploiting at least 56 known "n-day" vulnerabilities across a wide range of IoT and network infrastructure devices (routers, NAS, DVRs, CCTV). The botnet employs an "exploit shotgun" strategy, using numerous exploits simultaneously. This arsenal includes both publicly disclosed, patched vulnerabilities (like CVE-2023-1389 demonstrated at Pwn2Own 2022) and 18 un-CVE'd command injection flaws. The botnet development is noted to prioritize exploits demonstrated at Pwn2Own events.
## Exploitation
- **Status:** Exploited in the wild (Actively used by the RondoDox botnet since June).
- **Complexity:** Implied to be manageable for the botnet operators, leveraging widely known, but unpatched, flaws.
- **Attack Vector:** Network (targeting internet-exposed devices).
## Impact
- **Confidentiality:** Likely high, as command injection and access to networked hardware often leads to data compromise.
- **Integrity:** High, ransomware or manipulation of networked systems (DVRs, NVRs) is possible.
- **Availability:** High, botnet inclusion can lead to denial of service or device compromise/repurposing.
## Remediation
### Patches
- Users must apply the latest available firmware updates for their specific devices, addressing the various vendor-specific CVEs (TP-Link, QNAP, D-Link, etc.).
### Workarounds
- Replace End-of-Life (EoL) equipment, as these are unlikely to receive patches.
- Segment the network to isolate internet-facing IoT devices from critical data or guest connections.
- Replace all default credentials with secure, unique passwords.
## Detection
- **Indicators of Compromise:** Unexplained outbound network activity, sudden changes in device behavior, or network scanning originating from the compromised IoT devices.
- **Detection Methods and Tools:** Monitoring internet-facing devices for connection attempts or known exploit signatures corresponding to the listed CVEs.
## References
- [FortiGuard Labs Report on RondoDox](https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat)
- [Trend Micro Report on RondoDox](https://www.trendmicro.com/en_us/research/25/j/rondodox.html)