A large botnet RondoDox has been discovered that exploits 56 vulnerabilities in more than 30 different devices, including bugs first showcased at the Pwn2Own hacking competition.
The attackers target a wide range of internet-accessible devices: digital video recorders (DVR), network video recorders (NVR), video surveillance systems, and web servers.
At the same time, RondoDox uses a strategy that Trend Micro researchers call an “exploit shotgun” — the malware simultaneously deploys multiple exploits to maximize infections, even though such activity attracts a lot of attention.
Researchers report that among other vulnerabilities, RondoDox targets CVE-2023-1389 — a bug in the TP-Link Archer AX21 Wi‑Fi router that was initially demonstrated at Pwn2Own Toronto 2022. It is noted that the botnet’s operators closely track exploits showcased at Pwn2Own and then start using them in practice.
Among the n-day vulnerabilities that RondoDox has already added to its arsenal are:
- Digiever – CVE-2023-52163;
- Qnap – CVE-2023-47565;
- LB-LINK – CVE-2023-26801;
- TRENDnet – CVE-2023-51833;
- D-Link – CVE-2024-10914;
- TBK – CVE-2024-3721;
- Four-Faith – CVE-2024-12856;
- Netgear – CVE-2024-12847;
- AVTECH – CVE-2024-7029;
- TOTOLINK – CVE-2024-1781;
- Tenda – CVE-2025-7414;
- TOTOLINK – CVE-2025-1829;
- Meteobridge – CVE-2025-4008;
- Edimax – CVE-2025-22905;
- Linksys – CVE-2025-34037;
- TOTOLINK – CVE-2025-5504;
- TP-Link – CVE-2023-1389.
Experts note that older vulnerabilities—especially in end-of-support devices—pose a serious problem, as such devices are unlikely to receive patches. Newer flaws in supported hardware are no less dangerous, since many users simply ignore firmware updates after the initial device setup.
Trend Micro analysts report that RondoDox uses exploits for 18 command injection vulnerabilities that have not yet been assigned CVE identifiers. They affect D-Link NAS devices, TVT and LILIN DVRs, FiberHome, ASMAX, and Linksys routers, Brickcom cameras, and other unidentified devices.
As previously reported by FortiGuard Labs, RondoDox is capable of launching DDoS attacks using HTTP, UDP, and TCP. To avoid detection, the botnet disguises its malicious traffic as that of popular games and platforms, including Valve, Minecraft, Dark and Darker, Roblox, DayZ, Fortnite, GTA, as well as tools like Discord, OpenVPN, WireGuard, and RakNet.
To protect against RondoDox attacks, researchers recommend installing the latest available firmware updates and promptly replacing hardware that has reached end of support. They also advise segmenting the network—isolating critical data from internet-facing IoT devices and guest connections—as well as changing default credentials and using strong passwords.