Trend Micro has uncovered a rapidly expanding botnet campaign dubbed RondoDox, which is targeting a wide spectrum of internet-exposed devices — from routers and DVRs to CCTV systems and industrial networking gear. The campaign leverages over 50 distinct exploits across more than 30 vendors, posing a severe risk to global infrastructure.
“The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure,” the Trend Micro report warned.
According to Trend Micro’s Zero Day Initiative (ZDI) and Trend Research teams, the first intrusion attempt linked to RondoDox was detected on June 15, 2025, when the threat actors exploited a known from the Pwn2Own Toronto event.
The exploited , CVE-2023-1389, affects the TP-Link Archer AX21 Wi-Fi router, originally disclosed during ZDI’s consumer router hacking competition.
“Our first RondoDox intrusion attempt began on June 15, 2025, when we identified a familiar from our Pwn2Own Toronto event,” the report explained, noting that “ presented at our Pwn2Own consumer event continue to be popular with botnet operators.”
RondoDox doesn’t rely on precision. Instead, it fires an “exploit shotgun,” testing dozens of known and unpatched across a wide attack surface — routers, DVRs, NVRs, CCTV systems, web servers, and other internet-connected devices.
The botnet leverages multi-architecture payloads, enabling infections on both ARM- and MIPS-based devices. This approach, Trend Micro noted, allows RondoDox to “gain shell access and, ultimately, to drop multiarchitecture payloads,” giving attackers persistent control over compromised endpoints.
Many of the exploited date back years — some as old as CVE-2014-6271 (Shellshock) — while others, such as CVE-2025-1829 (TOTOLINK setMtknatCfg) and CVE-2025-5504 (TOTOLINK X2000R), are newly added to the botnet’s arsenal.
Trend Micro emphasized that “active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA’s Known Exploited Vulnerabilities (KEV) catalog.”
The latest Trend Micro telemetry shows RondoDox has evolved beyond a simple botnet — it now operates using a loader-as-a-service (LaaS) model.
This infrastructure distributes RondoDox alongside Mirai and Morte payloads, effectively blending multiple botnet strains under a shared delivery framework.
Trend Micro observed that CloudSEK and Fortinet also detected the same hybrid infrastructure, where RondoDox “co-packages with Mirai/Morte payloads — making detection and remediation more urgent.”
RondoDox’s lifecycle traces back to responsible disclosures at Pwn2Own Toronto 2022, where researchers from Qrious Secure — Tri Dang and Bien Pham (@bienpnn) — successfully demonstrated command injection and authentication bypass vulnerabilities in TP-Link routers.
Since then, Trend Micro has tracked the following milestones:
- December 2022: TP-Link bug discovered during Pwn2Own Toronto.
- January 2023: Vulnerability (CVE-2023-1389) disclosed and patched.
- June 2025: First RondoDox exploitation detected in the wild.
- September 2025: Spike in RondoDox activity, spreading via loader-as-a-service infrastructure.
Trend Micro’s analysis lists 56 vulnerabilities exploited by RondoDox, 38 of which have CVE identifiers. Command injection remains the weapon of choice, accounting for nearly 90% of exploits.
The botnet’s targets span dozens of vendors, including D-Link, Netgear, TP-Link, TOTOLINK, QNAP, Cisco, Zyxel, and Apache.
“RondoDox’s expanded arsenal now includes several additional CVEs and exploitation patterns observed in the wild,” the researchers noted. “It’s a clear signal that the campaign is evolving beyond single-device opportunism into a multivector loader operation”.
Some of the most critical CVEs observed include:
- CVE-2024-3721 – TBK DVR command injection
- CVE-2024-12856 – Four-Faith router remote execution
- CVE-2025-22905 – Edimax RE11S router
- CVE-2023-47565 – QNAP VioStor NVR
- CVE-2018-10561 – Dasan GPON home router
- RondoDox: Sophisticated Botnet Exploits TBK DVRs & Four-Faith Routers for DDoS Attacks
- CVE-2024-7339: DVR Vulnerability Exposes Over 400,000 Devices to Hackers
- Synology Issues Patches for Critical Camera Flaws Discovered at Pwn2Own
- Pwn2Own: Firefox Hacked with JavaScript Zero-Days – Details on the Exploits
- New Mirai Botnet Variant Targets DVR Systems via CVE-2024-3721
