RondoDox Botnet Exploiting React2Shell Vulnerability

Recent RondoDox botnet enrollment attacks have been targeting Next.js servers vulnerable to React2Shell, CloudSEK reports.

The targeted security defect, tracked as CVE-2025-55182, impacts systems relying on version 19 of the popular open source JavaScript library React, and which use React Server Components (RSC).

Publicly disclosed on December 3, 2025, React2Shell also impacts frameworks that leverage React, such as Next.js, React Router, RedwoodSDK, and Waku.

The bug allows unauthenticated attackers to send specially crafted HTTP requests to React Server Function endpoints and achieve remote code execution (RCE).

Exploitation of the flaw started within days of public disclosure and was initially associated with China-linked threat groups. A week later, multiple threat actors were seen targeting vulnerable instances.

According to CloudSEK, the RondoDox botnet’s operators joined the fray during that timeframe, and for the past three weeks have focused on exploiting Next.js instances affected by React2Shell.

Between December 8 ...