RondoDox Botnet Exploits Critical React2Shell Vulnerability (CVE-2025-55182) to Spread Malware and Cryptominers

2 Jan 2026

CVE-2025-55182React2ShellRondoDoxBotnetMalwareCryptominersNext.jsVulnerabilityRemote Code ExecutionCybercrimeHackingInformation SecurityIT SecuritySecurity NewsCloudSEK

The RondoDox botnet is actively exploiting the critical React2Shell vulnerability (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers. According to researchers at CloudSEK, this campaign has been ongoing for nine months, primarily targeting IoT devices and web applications. The vulnerability allows for remote code execution, enabling attackers to deploy malicious payloads on compromised systems. While the exact number of victims and affected regions remains undisclosed, the prolonged nature of this campaign underscores the critical importance of timely patch management and robust security measures. Organizations using Next.js should prioritize applying patches for CVE-2025-55182 and monitor their systems for signs of compromise, such as unusual network traffic or increased resource usage. This incident serves as a stark reminder of the persistent threat posed by botnets and the need for continuous vigilance in maintaining secure systems.