好的,我现在需要帮用户总结一篇文章,控制在100字以内。首先,我得仔细阅读文章内容,理解主要信息。 文章讲的是RondoDox僵尸网络利用React2Shell漏洞(CVE-2025-55182)攻击Next.js服务器,传播恶意软件和挖矿程序。CloudSEK的研究人员警告了这一威胁,并提到攻击者使用了多种漏洞利用手段。此外,文章还提到了攻击的时间线和防御建议。 接下来,我需要提取关键点:僵尸网络名称、利用的漏洞、攻击目标、传播的恶意软件类型、攻击时间以及防御措施。然后,将这些信息浓缩成简短的句子,确保不超过100字。 要注意用词简洁,避免冗长。例如,“利用React2Shell漏洞”比详细描述漏洞更直接。同时,要涵盖主要行动和影响,如大规模攻击和防御建议。 最后,检查字数是否符合要求,并确保内容准确传达文章的核心信息。 </think> RondoDox 僵尸网络利用 React2Shell 漏洞(CVE-2025-55182)攻击 Next.js 服务器,传播恶意软件和挖矿程序。该漏洞允许未经身份验证的代码执行,威胁 actors 采用多漏洞利用策略,并针对 IoT 设备和 web 应用展开大规模攻击。专家建议紧急修补漏洞并加强防护措施。 2026-1-1 14:31:42 Author: securityaffairs.com(查看原文) 阅读量:3 收藏
React2Shell under attack: RondoDox Botnet spreads miners and malware
RondoDox botnet exploits the critical React2Shell flaw (CVE-2025-55182) to infect vulnerable Next.js servers with malware and cryptominers.
CloudSEK researchers warn that the RondoDox botnet is exploiting the critical React2Shell flaw (CVE-2025-55182) to drop malware and cryptominers on vulnerable Next.js servers.
“CloudSEK’s report details a persistent nine-month RondoDoX botnet campaign targeting IoT devices and web applications. Recently, the threat actors have shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like “React2Shell” and cryptominers.” reads the report published by CloudSEK. “This analysis offers crucial insights into their evolving infrastructure and provides defensive recommendations to mitigate these sophisticated attacks.”
In July, FortiGuard Labs first spotted the RondoDox botnet that was exploiting CVE-2024-3721 and CVE-2024-12856. Active since 2024, it uses custom libraries and mimics gaming or VPN traffic to evade detection.
In October, Trend Micro researchers reported that the RondoDox botnet exploits 56 known flaws in over 30 device types, including DVRs, NVRs, CCTV systems, and web servers, active globally since June.
Experts noted that the latest RondoDox campaign adopts an “exploit shotgun” approach, firing multiple exploits to see which succeed.
Meta React Server Components flaw CVE-2025-55182 (CVSS Score of 10.0) is a pre-authentication remote code execution vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The flaw comes from the code deserializing data from HTTP requests to Server Function endpoints without proper safety checks.
The researcher Lachlan Davidson reported the security vulnerability in React on November 29th. He explained that unsafe payload decoding in Server Function endpoints allows unauthenticated code execution. Apps using React Server Components may be exposed even without Server Function endpoints.
CloudSEK reports that the RondoDox botnet began scanning for vulnerable Next.js servers on December 8 and started deploying botnet clients three days later. In 2025, RondoDox evolved through three phases: reconnaissance and vulnerability testing (March–April), automated web application exploitation (April–June), and large-scale IoT botnet deployment from July onward.
Recently, it has heavily exploited the React2Shell flaw, launching over 40 exploit attempts in six days. The botnet now runs hourly IoT exploitation waves targeting routers from vendors like Linksys and Wavlink. Deployed payloads include a cryptominer, a botnet loader and health checker, and a Mirai variant.
The guidance recommends urgent audits of Next.js apps, especially Server Actions, with immediate patching or temporary disablement. It stresses isolating and hardening IoT devices, deploying WAF protections, blocking known C2 infrastructure, and enhancing network and behavioral monitoring. Additional measures include enforcing zero-trust access for admin interfaces and maintaining continuous vulnerability and patch management with threat intelligence and regular testing.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, botnet)
如有侵权请联系:admin#unsafe.sh