RondoDox Botnet Expands to Over 50 Exploits, Weaponizing Pwn2Own Flaws in Global Campaign
A large-scale RondoDox botnet campaign is exploiting over 50 vulnerabilities across 30+ vendors, including flaws from Pwn2Own contests, targeting routers, DVRs, and CCTV systems globally.
Trend Micro and ZDI researchers have uncovered a massive RondoDox botnet campaign that exploits over 50 vulnerabilities across more than 30 vendors, including flaws first demonstrated at Pwn2Own hacking contests. Active since mid-2025, the campaign targets internet-exposed routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, and web servers using an 'exploit shotgun' approach—firing multiple exploits at once to see what sticks. Several of the exploited CVEs have been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, elevating them to urgent patching priorities for defenders.
The campaign's first intrusion attempt was detected on June 15, 2025, leveraging CVE-2023-1389, a command injection vulnerability in the TP-Link Archer AX21 Wi-Fi router that was originally disclosed at Pwn2Own Toronto 2022. This vulnerability, which targets the router's WAN interface, had previously been exploited by a Mirai botnet campaign in 2023. The RondoDox operators have since expanded their arsenal to include dozens of additional CVEs, including CVE-2024-3721 (TBK DVR) and CVE-2024-12856 (Four-Faith routers), which were tied to earlier RondoDox activity by FortiGuard Labs.
RondoDox first surfaced publicly in mid-2025 as a stealthy botnet that weaponizes longstanding command-injection flaws in networking equipment to gain shell access and drop multiarchitecture payloads. The botnet has since evolved into a 'loader-as-a-service' infrastructure that co-packages RondoDox with Mirai and Morte payloads, making detection and remediation more urgent. This distribution model allows the operators to rotate infrastructure at scale, complicating takedown efforts.
The campaign exposes organizations to risks of data exfiltration, persistent network compromise, and operational disruption. Researchers observed active exploitation globally, with a notable spike in activity detected on September 22, 2025. A follow-up analysis by CloudSEK on September 25, 2025, highlighted the rapid growth of the botnet through its loader-as-a-service model, with evidence of large-scale, rotated infrastructure.
Trend Micro and ZDI researchers have published a detailed timeline of the campaign's evolution, from the initial Pwn2Own disclosure in December 2022 to the widespread exploitation seen in 2025. The timeline includes key milestones such as the coordinated disclosure of CVE-2023-1389 in January 2023, the first RondoDox detection in June 2025, and the subsequent expansion to over 50 exploits.
Organizations operating internet-facing network devices are at heightened risk. Trend Micro recommends prioritizing patching of all listed vulnerabilities, especially those in the KEV catalog, conducting regular vulnerability assessments, segmenting networks to limit lateral movement, and continuously monitoring devices for anomalous activities. Trend Micro solutions already provide protection against the vulnerabilities exploited in this campaign, helping organizations mitigate exposure while patching efforts are underway.
The RondoDox campaign underscores the growing trend of botnet operators weaponizing vulnerabilities from public hacking contests like Pwn2Own. As researchers noted, 'Vulnerabilities presented at our Pwn2Own consumer event continue to be popular with botnet operators.' The campaign's shift to a loader-as-a-service model also highlights the increasing commoditization of botnet infrastructure, enabling rapid scaling and diversification of attack vectors.