CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 23, 2026

RondoDox Botnet Exploits 2018 Flaw in Asus Routers

Data Breach Today Archived May 23, 2026 ✓ Full text saved

Botnet Operators Execute First Known Exploit of Nearly Decade-Old Flaw Operators behind a botnet picked up on a nearly decade-old flaw in Asus routers allowing an unauthenticated attacker to achieve remote code execution as a root user. VulnCheck began observing exploitation of the Asus vulnerability on May 17.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Endpoint Security , Internet of Things Security RondoDox Botnet Exploits 2018 Flaw in Asus Routers Botnet Operators Execute First Known Exploit of Nearly Decade-Old Flaw Greg Sirico • May 22, 2026     Credit Eligible Get Permission Image: Shutterstock Operators behind a botnet picked up on a nearly decade-old flaw in Asus routers allowing an unauthenticated attacker to achieve remote code execution as a root user. See Also: Airlines and Airports: Visibility Across OT, IoT, and IT Researchers at VulnCheck flagged in-the-wild exploitation of CVE-2018-5999, a critical flaw carrying a 9.8 CVSS score, to the RondoDox botnet. The botnet, which surfaced in mid-2025 and focuses on Linux systems, is often classed as a variant of the Mirai botnet. "Unlike Mirai, this malware’s sole purpose is to execute DoS attacks, while Mirai is not only capable of doing DoS attacks but also scan and exploit other systems," wrote Bitsight in March. VulnCheck began observing exploitation of the Asus vulnerability on May 17. "Public exploits have been available since 2018," wrote VulnCheck CTO Jacob Baines in a Friday LinkedIn post. "But until now, we hadn't seen the vulnerability exploited in the wild." RondoDox relies on a multi-stage attack chain built around mass exploitation, particularly focusing on end-of-life and IoT devices. Its scans for exposed devices, attempting to exploit one of possibly dozens of embedded CVEs at once, often chaining flaws together before introducing a malware payload, which connects to command-and-control infrastructure. "RondoDox is well known for implementing a ton of exploits. Some analyses have tracked its CVE associations well into the 170s, so it’s not surprising or new that they’re using older ones too," said Baines. According to Bitsight analysis, threat actors behind RondoDox likely monitor vulnerability disclosures, exploiting certain CVEs linked to consumer tech before publication. With "compromised residential IPs" serving as its hosting infrastructure, the botnet relies on older vulnerabilities found in "widely deployed, largely end-of-life consumer routers" to maintain persistence. "There are a ton of Asus routers online, more than 1 million, so it’s very conceivable that this is working for RondoDox," said Baines.
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    May 23, 2026
    Archived
    May 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗