RondoDox Botnet Exploits Critical 2018 Vulnerability to Hijack ASUS Routers
RondoDox botnet exploits 2018 ASUS router vulnerability to hijack over 1 million devices.
Summary
VulnCheck discovered that the RondoDox botnet is actively exploiting CVE-2018-5999, a critical 2018 vulnerability in ASUS routers, to bypass authentication and hijack over 1 million devices. The vulnerability (CVSS 9.8/10) allows unauthenticated attackers to modify router settings by manipulating the ateCommand_flag parameter. Though exploit code has been public since 2018, real-world exploitation only began in May 2026, with RondoDox using the compromised routers to launch DDoS attacks.
Full text
Security Cyber Attacks MalwareRondoDox Botnet Exploits Critical 2018 Vulnerability to Hijack ASUS Routers Cybersecurity firm VulnCheck reveals hackers are using a critical 2018 vulnerability to bypass authentication and hack over a million ASUS routers. byDeeba AhmedMay 23, 20262 minute read Cybersecurity firm VulnCheck’s latest research reveals that cybercriminals are now targeting old models of ASUS routers by exploiting a software vulnerability from 2018, tracked as CVE-2018-5999. This is a critical unauthenticated configuration update vulnerability with a CVSS score of 9.8/10 that lets hackers change the settings of the router without needing a password. The attacks were discovered by the firm’s specialised system called VulnCheck Canary Network. Further probing revealed that a botnet (network of infected devices running the malware payload) named RondoDox botnet is behind these attacks, and those operating it started exploiting the vulnerability on May 17. Following these findings, the vulnerability has been added to the company’s Known Exploited Vulnerabilities catalogue. As per the research findings, shared with Hackread.com, the attack pattern relies on a specific mechanism where the attackers send data payloads to set the ateCommand_flag setting to 1. This change prompts the router’s internal system interface, called infosvr, to open up and accept unauthorised configuration changes from the outside. VulnCheck’s Initial Access team tested this method and successfully used the vulnerability to change the admin password of a router. What’s more troubling is that even though code to abuse this vulnerability has been public since 2018, hackers had not used it in the real world until now. Jacob Baines, the Chief Technology Officer at VulnCheck, explained the situation in a LinkedIn post, noting that “RondoDox is well known for implementing a ton of exploits. Some analyses have tracked its CVE associations well into the 170s, so it’s not surprising or new that they’re using older ones too.” The problem is huge because these devices are everywhere. ASUS routers are made in Taiwan and China and are very popular in homes. Baines added: “There are a ton of ASUS routers online, more than 1 million, so it’s very conceivable that this is working for RondoDox.” Credit: Jacob Baines RondoDox operators have been active since mid-2025, and mostly attack systems running Linux software, much like another botnet operator called Mirai. However, RondoDox is focused on a specific goal of starting Denial of Service attacks. These attacks flood a website or system with too much internet traffic until it crashes. According to VulnCheck’s State of Exploitation 2026 report findings on edge device vulnerabilities, cybercriminals look for old tech that companies don’t support with software updates anymore, technically called end-of-life devices. VulnCheck found that 56 percent of attacked internet edge devices in 2025 were consumer routers. Also, 65 percent of vulnerabilities used by botnets were on unsupported tech. This makes it easy for scammers to take over home internet routers. This warning follows recent coverage by Hackread.com on another RondoDox campaign reported by CloudSEK, where the botnet targeted smart cameras and websites by exploiting a critical Next.js vulnerability called React2Shell (CVE-2025-55182) to hijack servers without a password. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts ASUSBotnetCyber AttackCybersecurityIoTMalwareMiraiRondoDoxRouters Leave a Reply Cancel reply View Comments (0) Related Posts Security Thousands of Internet connected hot tubs vulnerable to remote attacks Weak security practices have rendered IoT devices vulnerable to hacking and all sorts of cyber-attacks. According to the… byWaqas Read More Cyber Crime Security FBI Seizes Leading Hacking Forums Cracked.io and Nulled.to Nulled.to, Cracked.to and Cracked.io, major hacking forums, appear seized by the FBI as DNS records point to FBI… byWaqas Hacking News Security FBI’s Security Platform InfraGard Hacked; 87k Members’ Data Sold Online As seen by Hackread.com, the hacker is selling the stolen InfraGard database which contains the personal data of its members for $50,000. byWaqas Security Lost ‘Sensitive’ Explosives Gear of U.S. Defense Dept. is Available on eBay for Sale Recently, some high-profile military gear of the Defense Department of U.S went missing — A leaked US Naval Criminal Investigative Service… byWaqas
Indicators of Compromise
- cve — CVE-2018-5999
- cve — CVE-2025-55182
- malware — RondoDox