Headline
RondoDox Botnet is Using React2Shell to Hijack Thousands of Unpatched Devices
RondoDox hackers exploit the React2Shell flaw in Next.js to target 90,000+ devices, including routers, smart cameras, and small business websites.
If you have a smart camera at home or a small website for your business, you could be helping hackers without even knowing it, as cyber criminals are breaking into thousands of everyday devices using the RondoDox botnet. They are building a botnet, which is basically a giant army of hijacked computers that they control from far away.
According to a report from CloudSEK, these attackers are now exploiting a critical flaw called React2Shell (CVE-2025-55182). This flaw is found in Next.js, a popular tool used to build websites. It is very dangerous because it lets hackers take over a computer or server without needing a password.
****A Calculated Three-Step Takeover****
Right after this security flaw was discovered in December 2025, the RondoDox group began hunting for victims. Data from the Shadowserver Foundation shows that over 90,300 systems were left wide open by the end of the year. While the US has the most at-risk devices (over 68,000), thousands of others are vulnerable in Germany, France, and India.
Loggers used by threat actors (Source: CloudSEK)
Further investigation revealed that the hackers didn’t just start overnight; they used a three-step plan to grow, starting in early 2025 when they tested for basic website weaknesses like SQL injection to trick databases. By the summer, they began mass-scanning for popular platforms like WordPress and Drupal, while also targeting home Wavlink routers. By the end of the year, the attack became fully automated.
In their blog post, researchers noted six control centres sending out ten different versions of the virus to hit almost any type of machine architecture, from high-end cloud servers to basic home equipment.
****Who is at Risk?****
RondoDox can infect almost any device. The most common targets are:
- Websites: Any site built with Next.js or WordPress.
- Home Routers: Brands like D-Link, Netgear, and TP-Link.
- Smart Tech: IP cameras and other gadgets connected to your Wi-Fi.
****The Hacker’s Toolkit****
Once inside, the hackers install hidden programs with strange names. They use “/nuts/poop” to steal the device’s power to mine digital currency and “/nuts/x86,” a version of the infamous Mirai malware, to help the botnet spread.
Perhaps the most aggressive tool is “/nuts/bolts.” This “health checker” scans the device every 45 seconds to kill any other rival viruses. It even wipes out old digital footprints to make RondoDox the sole owner of your device.
The best way to stay safe is to keep your technology updated. If you run a website, install the latest security fixes for Next.js right away. For your home, it is a smart move to connect gadgets like smart cameras to a separate Wi-Fi network so that if a hacker gets into a camera, they cannot reach your private phone or computer. Also, you should check your router’s settings and install any new software updates immediately.
Related news
This week’s ThreatsDay Bulletin tracks how attackers keep reshaping old tools and finding new angles in familiar systems. Small changes in tactics are stacking up fast, and each one hints at where the next big breach could come from. From shifting infrastructures to clever social hooks, the week’s activity shows just how fluid the threat landscape has become. Here’s the full rundown of what
If you use a smartphone, browse the web, or unzip files on your computer, you are in the crosshairs this week. Hackers are currently exploiting critical flaws in the daily software we all rely on—and in some cases, they started attacking before a fix was even ready. Below, we list the urgent updates you need to install right now to stop these active threats. ⚡ Threat of the Week Apple and
The React team has released fixes for two new types of flaws in React Server Components (RSC) that, if successfully exploited, could result in denial-of-service (DoS) or source code exposure. The team said the issues were found by the security community while attempting to exploit the patches released for CVE-2025-55182 (CVSS score: 10.0), a critical bug in RSC that has since been weaponized in
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged federal agencies to patch the recent React2Shell vulnerability by December 12, 2025, amid reports of widespread exploitation. The critical vulnerability, tracked as CVE-2025-55182 (CVSS score: 10.0), affects the React Server Components (RSC) Flight protocol. The underlying cause of the issue is an unsafe deserialization
This week’s cyber stories show how fast the online world can turn risky. Hackers are sneaking malware into movie downloads, browser add-ons, and even software updates people trust. Tech giants and governments are racing to plug new holes while arguing over privacy and control. And researchers keep uncovering just how much of our digital life is still wide open. The new Threatsday Bulletin
React2Shell continues to witness heavy exploitation, with threat actors leveraging the maximum-severity security flaw in React Server Components (RSC) to deliver cryptocurrency miners and an array of previously undocumented malware families, according to new findings from Huntress. This includes a Linux backdoor called PeerBlight, a reverse proxy tunnel named CowTunnel, and a Go-based
Threat actors with ties to North Korea have likely become the latest to exploit the recently disclosed critical security React2Shell flaw in React Server Components (RSC) to deliver a previously undocumented remote access trojan dubbed EtherRAT. "EtherRAT leverages Ethereum smart contracts for command-and-control (C2) resolution, deploys five independent Linux persistence mechanisms, and
It’s been a week of chaos in code and calm in headlines. A bug that broke the internet’s favorite framework, hackers chasing AI tools, fake apps stealing cash, and record-breaking cyberattacks — all within days. If you blink, you’ll miss how fast the threat map is changing. New flaws are being found, published, and exploited in hours instead of weeks. AI-powered tools meant to help developers
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday formally added a critical security flaw impacting React Server Components (RSC) to its Known Exploited Vulnerabilities (KEV) catalog following reports of active exploitation in the wild. The vulnerability, CVE-2025-55182 (CVSS score: 10.0), relates to a case of remote code execution that could be triggered by an
A maximum-severity security flaw has been disclosed in React Server Components (RSC) that, if successfully exploited, could result in remote code execution. The vulnerability, tracked as CVE-2025-55182, carries a CVSS score of 10.0. It allows "unauthenticated remote code execution by exploiting a flaw in how React decodes payloads sent to React Server Function endpoints," the React Team said in