Researchers revealed a nine-month campaign exploiting the React2Shell vulnerability to build the RondoDox botnet. The botnet scans for vulnerable devices and installs various malware, including cryptocurrency miners and a Mirai variant. Organizations are urged to update software and implement security measures to defend against these attacks.

The RondoDox botnet is exploiting a critical RCE vulnerability in XWiki, tracked as CVE-2025-24893. CISA has flagged this flaw as actively exploited, with RondoDox using it to execute malicious payloads on affected servers. Immediate patching is recommended for vulnerable versions.