RondoDox Botnet Exploits 2018 Flaw in Asus Routers for First Known In-the-Wild Attacks
The RondoDox botnet is exploiting CVE-2018-14714, a nearly decade-old unauthenticated remote code execution vulnerability in Asus routers, to compromise devices and launch DDoS attacks.
The RondoDox botnet has begun exploiting CVE-2018-14714, a critical unauthenticated remote code execution vulnerability in Asus routers that was first disclosed in 2018, marking the first known in-the-wild attacks against the nearly decade-old flaw. Researchers at VulnCheck observed the exploitation activity starting on May 17, 2026, and have attributed it to the RondoDox botnet, a Linux-focused DDoS malware strain that emerged in mid-2025 and is often classified as a Mirai variant.
The vulnerability, which carries a CVSS score of 9.8, allows an unauthenticated attacker to achieve remote code execution as the root user on affected Asus router models. Public proof-of-concept exploits have been available since the flaw was first disclosed, but until now, no threat actor had been observed weaponizing it in real-world attacks. "But until now, we hadn't seen the vulnerability exploited in the wild," wrote VulnCheck CTO Jacob Baines in a LinkedIn post announcing the discovery.
RondoDox relies on a multi-stage attack chain built around mass exploitation, particularly targeting end-of-life and IoT devices. The botnet scans for exposed devices and attempts to exploit one of possibly dozens of embedded CVEs at once, often chaining multiple flaws together before introducing a malware payload that connects to command-and-control infrastructure. According to Bitsight analysis, RondoDox has been associated with well over 170 unique CVEs, making the addition of CVE-2018-14714 consistent with its existing playbook.
"RondoDox is well known for implementing a ton of exploits. Some analyses have tracked its CVE associations well into the 170s, so it's not surprising or new that they're using older ones too," Baines said. The botnet's operators likely monitor vulnerability disclosures, exploiting certain CVEs linked to consumer technology before their public publication, according to Bitsight.
The choice of Asus routers is strategic for the botnet operators. "There are a ton of Asus routers online, more than 1 million, so it's very conceivable that this is working for RondoDox," Baines noted. The botnet relies on compromised residential IP addresses as its hosting infrastructure and depends on older vulnerabilities found in widely deployed, largely end-of-life consumer routers to maintain persistence.
Asus has not yet released a security advisory specifically addressing this active exploitation, and the affected router models — many of which are no longer supported — remain vulnerable. Users are advised to check for available firmware updates, disable remote administration if not required, and ensure that their devices are not exposed directly to the internet. The emergence of this exploitation highlights the persistent risk posed by unpatched, end-of-life IoT devices that remain online and accessible.
The RondoDox botnet's activity is part of a broader trend of threat groups weaponizing older, well-documented vulnerabilities that organizations and consumers have failed to patch. With over 1 million potentially exploitable Asus routers online, the campaign could significantly expand the botnet's capacity for distributed denial-of-service attacks.