RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits | Trend Micro (US)<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.47ce60d92d94610907e7a2cbd6fbca69.css\" type=\"text\/css\">\n<link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendmicro\/clientlibs\/trendmicro-core-2\/clientlibs\/header-footer.min.ed72bbd5ec8a033bb224030ee7e2c12e.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/j\/rondodox.html\"><br \/>\n<meta property=\"og:title\" content=\"RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits\"><br \/>\n<meta property=\"og:description\" content=\"Trend\u2122 Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/RondoDox-thumbnail.jpg\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits\"><br \/>\n<meta name=\"twitter:description\" content=\"Trend\u2122 Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/25\/RondoDox-thumbnail.jpg\"> <meta name=\"user-country-code\" content=\"US\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"50.499786820787\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"1716514446\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"10.5\">\n<div class=\"article-details\" role=\"heading\" readability=\"41\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Cyber Threats<\/p>\n<p class=\"article-details__description\">Trend\u2122 Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests.<\/p>\n<p class=\"article-details__author-by\">By: Deep Patel, Ashish Verma, Simon Dulude, Peter Girnus <time class=\"article-details__date\">October 09, 2025<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<div class=\"article-details__icons\">  <\/p>\n<div class=\"a2a_kit a2a_default_style\" data-a2a-icon-color=\"#717172\"> <a class=\"a2a_dd addthis_link\" href=\"https:\/\/www.addtoany.com\/share\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/share-more.svg\" class=\"svg-icon\" alt=\"Share\"> <\/a> <a class=\"a2a_button_print addthis_link\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch\/resources\/img\/printer.svg\" class=\"svg-icon\" alt=\"Print\"> <\/a> <\/div>\n<p>   <\/div>\n<\/div><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-lg-8 col-lg-push-2\"> <\/p>\n<div>\n<div class=\"richText\" readability=\"39.5\">\n<div readability=\"24\">\n<p><b><span class=\"body-subhead-title\">Key takeaways<\/span><\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">The campaign exposes organizations to the risks of data exfiltration, persistent network compromise, and operational disruption for organizations with exposed infrastructure.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Organizations operating internet-facing network devices are at heightened risk. Active exploitation has been observed globally since mid-2025, with several CVEs now included in CISA\u2019s Known Exploited Vulnerabilities (KEV) catalog.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Prioritize patching of all listed vulnerabilities, especially those in the KEV catalog. Conduct regular vulnerability assessments, segment networks to limit lateral movement, and continuously monitor devices for anomalous activities. Trend Micro solutions already provide protection against vulnerabilities and flaws exploited in this campaign, helping organizations mitigate exposure while patching efforts are underway.<\/span><\/li>\n<\/ul>\n<p>The ZDI Threat Hunting and Trend\u2122 Research teams have identified a significant RondoDox botnet campaign that targets a wide range of internet-exposed infrastructure. This campaign consists of over 50 exploits, including unpatched router flaws across over 30 vendors, targeting vulnerabilities found in routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices. While the exploits specifically exploit vulnerabilities in routers, DVRs, NVRs, CCTV systems, web servers, and networking equipment, the latest RondoDox campaign uses an “exploit shotgun”, using multiple exploits and seeing what hits.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.681467181467\">\n<div readability=\"16.610038610039\">\n<p>Our first RondoDox intrusion attempt began on June 15, 2025, when we identified a familiar vulnerability from our Pwn2Own Toronto event. This vulnerability, tracked as <a href=\"https:\/\/www.zerodayinitiative.com\/advisories\/ZDI-23-451\/\" target=\"_blank\">CVE-2023-1389<\/a>, targets the WAN interface of the TP-Link Archer AX21 Wi-Fi router.<\/p>\n<p>We previously reported on a <a href=\"https:\/\/www.zerodayinitiative.com\/blog\/2023\/4\/21\/tp-link-wan-side-vulnerability-cve-2023-1389-added-to-the-mirai-botnet-arsenal\" target=\"_blank\">Mirai campaign<\/a> that exploited <a href=\"https:\/\/www.zerodayinitiative.com\/advisories\/ZDI-23-451\/\" target=\"_blank\">CVE-2023-1389<\/a> back in 2023, shortly after the Pwn2Own event. Vulnerabilities presented at our Pwn2Own consumer event continue to be popular with botnet operators.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/j\/rondodox\/RondoDox-Fig01.png\" alt=\"Figure 1. Pwn2Own Ireland target list in the SOHO Smashup event including multiple networking devices\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 1. Pwn2Own Ireland target list in the SOHO Smashup event including multiple networking devices<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>Trend customers can be reassured that they have been protected against vulnerabilities like CVE-2023-1389 since it was disclosed at Pwn2Own.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/j\/rondodox\/RondoDox-Fig02.png\" alt=\"Figure 2. Tri Dang and Bien Pham (@bienpnn) from Qrious Secure were able to exploit two bugs (authentication bypass and command injection) at Pwn2Own Toronto 2022\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 2. Tri Dang and Bien Pham (@bienpnn) from Qrious Secure were able to exploit two bugs (authentication bypass and command injection) at Pwn2Own Toronto 2022<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"34.972826086957\">\n<div readability=\"20.625\">\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/rondobox-unveiled-breaking-down-a-botnet-threat\" target=\"_blank\">RondoDox<\/a> first surfaced publicly in mid-2025 as a stealthy botnet campaign that weaponizes longstanding command-injection flaws in internet-facing routers, DVRs, NVRs, CCTV systems, and other networking equipment to gain shell access and, ultimately, to drop multiarchitecture payloads. The initial <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/rondobox-unveiled-breaking-down-a-botnet-threat\" target=\"_blank\">RondoDox<\/a> analysis authored by <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/rondobox-unveiled-breaking-down-a-botnet-threat\" target=\"_blank\">FortiGuard Labs<\/a> highlighted an initial campaign, which focused on <a href=\"https:\/\/thehackernews.com\/2025\/07\/rondodox-botnet-exploits-flaws-in-tbk.html\" target=\"_blank\">TBK DVRs and Four-Faith routers<\/a>, through the exploitation of CVE-2024-3721 and <a href=\"https:\/\/www.vulncheck.com\/blog\/four-faith-cve-2024-12856\" target=\"_blank\">CVE-2024-12856<\/a>.<\/p>\n<p>More recently, RondoDox broadened its distribution by using a \u201cloader-as-a-service\u201d infrastructure that co-packages RondoDox with Mirai\/Morte payloads \u2014 making detection and remediation more urgent.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/25\/j\/rondodox\/RondoDox-Fig03.png\" alt=\"Figure 3. A timeline of the RondoDox vulnerability, from initial disclosure and first detection in 2025 to eventual widespread exploitation in large-scale campaigns\"> <\/p>\n<div class=\"caption-image-container \"><figcaption>Figure 3. A timeline of the RondoDox vulnerability, from initial disclosure and first detection in 2025 to eventual widespread exploitation in large-scale campaigns<\/figcaption><\/div>\n<\/figure><\/div>\n<div class=\"richText\" readability=\"26.869198312236\">\n<div readability=\"7.5569620253165\">\n<p>Below is the timeline showing key events in the RondoDox vulnerability, from discovery to exploitation:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><b>December 6, 2022:<\/b> <span>Tri Dang and Bien Pham (@bienpnn) from Qrious Secure exploit the WAN interface of TP-Link AX1800 at <a href=\"https:\/\/www.zerodayinitiative.com\/blog\/2022\/12\/5\/pwn2own-toronto-2022-day-one-results\" target=\"_blank\">Pwn2Own Toronto 2022<\/a>.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>January 10, 2023: <\/b><span>Trend Network Security publishes rule <a href=\"https:\/\/success.trendmicro.com\/en-US\/solution\/KA-0020126\" target=\"_blank\">42150: HTTP: TP-Link AX1800 locale controller Command Injection Vulnerability (ZDI-23-451).<\/a><\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>January 15, 2023: <\/b><span>Pwn2Own vulnerability is reported to TP-Link. Coordinated public disclosure of <a href=\"https:\/\/www.zerodayinitiative.com\/advisories\/ZDI-23-451\/\" target=\"_blank\">CVE-2023-1389<\/a> with vendor.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>June 15,<sup>, <\/sup>2025: <\/b><span>First RondoDox event detected inside Trend Telemetry utilizing <a href=\"https:\/\/www.zerodayinitiative.com\/blog\/2023\/10\/23\/pwn2own-toronto-2023-the-schedule\" target=\"_blank\">Pwn2Own Toronto 2022<\/a> bug, CVE-2023-1389.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>September 22, 2025<\/b>: <span>Trend Threat Research triages a RondoDox exploitation spike inside Trend telemetry.<\/span><\/span><\/li>\n<li><span class=\"rte-red-bullet\"><b>September 25, 2025:<\/b> <span><a href=\"https:\/\/www.cloudsek.com\/blog\/botnet-loader-as-a-service-infrastructure-distributing-rondodox-and-mirai-payloads\" target=\"_blank\">CloudSEK<\/a> publishes a follow-up showing rapid growth via a loader-as-a-service model that distributes RondoDox alongside Mirai\/Morte, with evidence of large-scale, rotated infrastructure.<\/span><\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39.405555555556\">\n<div readability=\"25.95\">\n<p>Building on <a href=\"https:\/\/www.zerodayinitiative.com\/advisories\/ZDI-23-451\/\" target=\"_blank\">CVE-2023-1389<\/a> and other vulnerabilities, such as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2024-3721\" target=\"_blank\">CVE-2024-3721 <\/a>and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/cve-2024-12856\" target=\"_blank\">CVE-2024-12856<\/a>, RondoDox\u2019s expanded arsenal now includes several additional CVEs and exploitation patterns observed in the wild. It\u2019s a clear signal that the campaign is evolving beyond single-device opportunism into a multivector loader operation.<\/p>\n<p>Notably, researchers tied the active exploitation of CVE-2024-3721 (TBK DVR) and CVE-2024-12856 (Four-Faith routers) to RondoDox activity, and a subset of the newly observed vulnerabilities was added to CISA\u2019s Known Exploited Vulnerabilities (KEV) catalog, elevating them to immediate, high-priority patching targets for defenders.<\/p>\n<p>Below we list the fresh CVEs researchers have seen in RondoDox campaigns, summarizing how each is being weaponized:<\/p>\n<p><b>RondoDox targeted vulnerabilities<\/b><\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Total Vulnerabilities: 56<\/span><\/li>\n<li><span class=\"rte-red-bullet\">No CVE Assigned: 18<\/span><\/li>\n<li><span class=\"rte-red-bullet\">CVE Assigned: 38<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Command Injection (CWE-78): 50<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Path Traversal (CWE-22): 2<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Buffer Overflow (CWE-120): 1<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Authentication Bypass (CWE-287): 1<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Memory Corruption (CWE-119): 1<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31\">\n<div class=\"responsive-table-wrap\" readability=\"7\"> <center><\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody readability=\"9\">\n<tr>\n<td width=\"104\" valign=\"top\"><b>Vendor<\/b><\/td>\n<td width=\"227\" valign=\"top\"><b>Product<\/b><\/td>\n<td width=\"132\" valign=\"top\"><b>CVE ID<\/b><\/td>\n<td width=\"85\" valign=\"top\"><b>CWE<\/b><\/td>\n<td width=\"76\" valign=\"top\"><b>Type<\/b><\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"104\" valign=\"top\">D-Link<\/td>\n<td width=\"227\" valign=\"top\">DNS-343 ShareCenter \/ goAhead Web Server<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"104\" valign=\"top\">TVT<\/td>\n<td width=\"227\" valign=\"top\">NVMS-9000 Digital Video Recorder (DVR)<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">LILIN<\/td>\n<td width=\"227\" valign=\"top\">DVR (Variant A)<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">LILIN<\/td>\n<td width=\"227\" valign=\"top\">DVR (Variant B)<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Fiberhome<\/td>\n<td width=\"227\" valign=\"top\">Router SR1041F RP0105<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"104\" valign=\"top\">Linksys<\/td>\n<td width=\"227\" valign=\"top\">Router apply.cgi (Variant A)<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"104\" valign=\"top\">Linksys<\/td>\n<td width=\"227\" valign=\"top\">Router apply.cgi (Variant B)<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">BYTEVALUE<\/td>\n<td width=\"227\" valign=\"top\">Intelligent Flow Router<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">D-Link<\/td>\n<td width=\"227\" valign=\"top\">DIR-645 & DIR-815<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Unknown<\/td>\n<td width=\"227\" valign=\"top\">wlan_operate endpoint<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Unknown<\/td>\n<td width=\"227\" valign=\"top\">resize_ext2 endpoint<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">ASMAX<\/td>\n<td width=\"227\" valign=\"top\">804 Router<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">D-Link<\/td>\n<td width=\"227\" valign=\"top\">DIR-X4860<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"104\" valign=\"top\">Unknown<\/td>\n<td width=\"227\" valign=\"top\">File Upload (upgrade form)<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Brickcom<\/td>\n<td width=\"227\" valign=\"top\">IP Camera<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">IQrouter<\/td>\n<td width=\"227\" valign=\"top\">IQrouter 3.3.1<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"104\" valign=\"top\">Ricon<\/td>\n<td width=\"227\" valign=\"top\">Industrial Cellular Router S9922XL<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Unknown<\/td>\n<td width=\"227\" valign=\"top\">Shell endpoint<\/td>\n<td width=\"132\" valign=\"top\">N\/A<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">No CVE<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Nexxt<\/td>\n<td width=\"227\" valign=\"top\">Router Firmware<\/td>\n<td width=\"132\" valign=\"top\">CVE-2022-44149<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"104\" valign=\"top\">D-Link<\/td>\n<td width=\"227\" valign=\"top\">DIR-645 Wired\/Wireless Router<\/td>\n<td width=\"132\" valign=\"top\">CVE-2015-2051<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Netgear<\/td>\n<td width=\"227\" valign=\"top\">R7000 \/ R6400 Router<\/td>\n<td width=\"132\" valign=\"top\">CVE-2016-6277<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"104\" valign=\"top\">Netgear<\/td>\n<td width=\"227\" valign=\"top\">Multiple Routers (mini_httpd)<\/td>\n<td width=\"132\" valign=\"top\">CVE-2020-27867<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Apache<\/td>\n<td width=\"227\" valign=\"top\">HTTP Server<\/td>\n<td width=\"132\" valign=\"top\">CVE-2021-41773<\/td>\n<td width=\"85\" valign=\"top\">CWE-22<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Apache<\/td>\n<td width=\"227\" valign=\"top\">HTTP Server<\/td>\n<td width=\"132\" valign=\"top\">CVE-2021-42013<\/td>\n<td width=\"85\" valign=\"top\">CWE-22<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">TBK<\/td>\n<td width=\"227\" valign=\"top\">Multiple DVRs<\/td>\n<td width=\"132\" valign=\"top\">CVE-2024-3721<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">TOTOLINK<\/td>\n<td width=\"227\" valign=\"top\">Router (setMtknatCfg)<\/td>\n<td width=\"132\" valign=\"top\">CVE-2025-1829<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Meteobridge<\/td>\n<td width=\"227\" valign=\"top\">Web Interface<\/td>\n<td width=\"132\" valign=\"top\">CVE-2025-4008<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">D-Link<\/td>\n<td width=\"227\" valign=\"top\">DNS-320<\/td>\n<td width=\"132\" valign=\"top\">CVE-2020-25506<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Digiever<\/td>\n<td width=\"227\" valign=\"top\">DS-2105 Pro<\/td>\n<td width=\"132\" valign=\"top\">CVE-2023-52163<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Netgear<\/td>\n<td width=\"227\" valign=\"top\">DGN1000<\/td>\n<td width=\"132\" valign=\"top\">CVE-2024-12847<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">D-Link<\/td>\n<td width=\"227\" valign=\"top\">Multiple Products<\/td>\n<td width=\"132\" valign=\"top\">CVE-2024-10914<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Edimax<\/td>\n<td width=\"227\" valign=\"top\">RE11S Router<\/td>\n<td width=\"132\" valign=\"top\">CVE-2025-22905<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">QNAP<\/td>\n<td width=\"227\" valign=\"top\">VioStor NVR<\/td>\n<td width=\"132\" valign=\"top\">CVE-2023-47565<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">D-Link<\/td>\n<td width=\"227\" valign=\"top\">DIR-816<\/td>\n<td width=\"132\" valign=\"top\">CVE-2022-37129<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">GNU<\/td>\n<td width=\"227\" valign=\"top\">Bash (ShellShock)<\/td>\n<td width=\"132\" valign=\"top\">CVE-2014-6271<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Dasan<\/td>\n<td width=\"227\" valign=\"top\">GPON Home Router<\/td>\n<td width=\"132\" valign=\"top\">CVE-2018-10561<\/td>\n<td width=\"85\" valign=\"top\">CWE-287<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Four-Faith<\/td>\n<td width=\"227\" valign=\"top\">Industrial Routers<\/td>\n<td width=\"132\" valign=\"top\">CVE-2024-12856<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">TP-Link<\/td>\n<td width=\"227\" valign=\"top\">Archer AX21<\/td>\n<td width=\"132\" valign=\"top\">CVE-2023-1389<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">D-Link<\/td>\n<td width=\"227\" valign=\"top\">Multiple Products<\/td>\n<td width=\"132\" valign=\"top\">CVE-2019-16920<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Tenda<\/td>\n<td width=\"227\" valign=\"top\">Router (fromNetToolGet)<\/td>\n<td width=\"132\" valign=\"top\">CVE-2025-7414<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Tenda<\/td>\n<td width=\"227\" valign=\"top\">Router (deviceName)<\/td>\n<td width=\"132\" valign=\"top\">CVE-2020-10987<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">LB-LINK<\/td>\n<td width=\"227\" valign=\"top\">Multiple Routers<\/td>\n<td width=\"132\" valign=\"top\">CVE-2023-26801<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr readability=\"2\">\n<td width=\"104\" valign=\"top\">Linksys<\/td>\n<td width=\"227\" valign=\"top\">E-Series Multiple Routers<\/td>\n<td width=\"132\" valign=\"top\">CVE-2025-34037<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">AVTECH<\/td>\n<td width=\"227\" valign=\"top\">CCTV<\/td>\n<td width=\"132\" valign=\"top\">CVE-2024-7029<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">TOTOLINK<\/td>\n<td width=\"227\" valign=\"top\">X2000R<\/td>\n<td width=\"132\" valign=\"top\">CVE-2025-5504<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">ZyXEL<\/td>\n<td width=\"227\" valign=\"top\">P660HN-T1A<\/td>\n<td width=\"132\" valign=\"top\">CVE-2017-18368<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Hytec Inter<\/td>\n<td width=\"227\" valign=\"top\">HWL-2511-SS<\/td>\n<td width=\"132\" valign=\"top\">CVE-2022-36553<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Belkin<\/td>\n<td width=\"227\" valign=\"top\">Play N750<\/td>\n<td width=\"132\" valign=\"top\">CVE-2014-1635<\/td>\n<td width=\"85\" valign=\"top\">CWE-120<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">TRENDnet<\/td>\n<td width=\"227\" valign=\"top\">TEW-411BRPplus<\/td>\n<td width=\"132\" valign=\"top\">CVE-2023-51833<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">TP-Link<\/td>\n<td width=\"227\" valign=\"top\">TL-WR840N<\/td>\n<td width=\"132\" valign=\"top\">CVE-2018-11714<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">D-Link<\/td>\n<td width=\"227\" valign=\"top\">DIR820LA1_FW105B03<\/td>\n<td width=\"132\" valign=\"top\">CVE-2023-25280<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Billion<\/td>\n<td width=\"227\" valign=\"top\">5200W-T Router<\/td>\n<td width=\"132\" valign=\"top\">CVE-2017-18369<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">Cisco<\/td>\n<td width=\"227\" valign=\"top\">Multiple Products<\/td>\n<td width=\"132\" valign=\"top\">CVE-2019-1663<\/td>\n<td width=\"85\" valign=\"top\">CWE-119<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<tr>\n<td width=\"104\" valign=\"top\">TOTOLINK<\/td>\n<td width=\"227\" valign=\"top\">Router (setWizardCfg)<\/td>\n<td width=\"132\" valign=\"top\">CVE-2024-1781<\/td>\n<td width=\"85\" valign=\"top\">CWE-78<\/td>\n<td width=\"76\" valign=\"top\">N-Day<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><\/center><\/p>\n<p><span class=\"rte-icon-component-text\">Table 1. CVEs seen in RondoDox campaigns<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"42.420485175202\">\n<div readability=\"30.582210242588\">\n<p>The latest RondoDox botnet campaign represents a significant evolution in automated network exploitation, demonstrating how threat actors continue to weaponize both publicly disclosed vulnerabilities and zero-day exploits discovered at security competitions like Pwn2Own.<\/p>\n<p>The campaign\u2019s shotgun approach of targeting more than 50 vulnerabilities across over 30 vendors underscores the persistent risks facing organizations that maintain internet-exposed network infrastructure without adequate security controls.<\/p>\n<p>The timeline presented in this analysis reveals an uncomfortable truth about the vulnerability lifecycle. Even when security researchers responsibly disclose flaws and vendors issue patches, the window between public disclosure and widespread exploitation continues to shrink, while the lifecycle of n-day exploits remain a perennial challenge to devices and their vendors. Organizations that delay patching or fail to maintain comprehensive asset inventories of their network edge devices create opportunities for campaigns like RondoDox to establish persistent footholds within their infrastructure.<\/p>\n<p>Moving forward, defenders must adopt a proactive security posture that includes regular vulnerability assessments, network segmentation to limit lateral movement, restrict internet exposure, and continuous monitoring for signs of compromise.<\/p>\n<p>We look forward to seeing great research at <a href=\"https:\/\/www.zerodayinitiative.com\/blog\/2025\/7\/30\/pwn2own-returns-to-ireland-with-a-one-million-dollar-whatsapp-target\" target=\"_blank\">Pwn2Own Ireland 2025<\/a>!<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.366386554622\">\n<div readability=\"15.489075630252\">\n<h2><span class=\"body-subhead-title\">Proactive security with Trend Vision One\u2122 <\/span><\/h2>\n<p><a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/one-platform.html\" target=\"_blank\">Trend Vision One\ufe0f<\/a>\u2122 is the only AI-powered enterprise cybersecurity platform that centralizes cyber risk exposure management, security operations, and robust layered protection. This holistic approach helps enterprises predict and prevent threats, accelerating proactive security outcomes across their respective digital estate. Eliminate security blind spots, focus on what matters most, and elevate security into a strategic partner for innovation, especially in the cases of novel malware threats as in the one discussed in this blog entry. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.634763476348\">\n<div readability=\"19.221122112211\">\n<p><b>Trend Vision One\u2122 Threat Intelligence\u202f<\/b><\/p>\n<p>To stay ahead of evolving threats, Trend customers can access\u202f<a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/threat-intelligence.html\" target=\"_blank\">Trend Vision One\u2122 Threat Insights<\/a>\u202fwhich provides the latest insights from Trend\u2122 Research on emerging threats and threat actors.\u202f\u202f\u202f<\/p>\n<p><b>Trend Vision One Threat Insights\u202f\u202f<\/b><\/p>\n<p><b>Trend Vision One Intelligence Reports (IOC Sweeping)<\/b>\u202f\u202f<\/p>\n<p><span class=\"body-subhead-title\">Hunting Queries\u202f\u202f<\/span><\/p>\n<p><b>Trend Vision One Search App\u202f\u202f<\/b><\/p>\n<p>Trend Vision One customers can use the Search App to match or hunt the malicious indicators mentioned in this blog post with data in their environment.\u202f<\/p>\n<p><span class=\"blockquote\">eventSubId:2 AND (processCmd:”#!\/bin\/sh” AND processCmd:”chmod 777″ AND processCmd:”service apparmor stop” AND processCmd:rondo.)<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>Generic splunk query example:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\"><i>index=”<index_name>” | spath <json_field> | search <json_field>=”*rondo.*” <\/i><\/span><\/li>\n<\/ul>\n<p><b>Generic Network Detection<\/b><\/p>\n<p><span class=\"blockquote\">index=proxy OR index=web OR index=firewall | search user_agent=”*bang2012@protonmail.com*” OR User-Agent=”*bang2012@protonmail.com*” | table _time src_ip dest_ip url user_agent | sort -_time<\/span><\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Common Proton email address found in numerous exploitation samples.<\/p>\n<blockquote><p>rule ZTH_Malware_RondoDox_Email{<br \/>meta:<br \/>description = “Detects patterns associated with rondo malware”<br \/>date = “2025-09-29”<br \/>author = “Peter Girnus (@gothburz)”<br \/>strings:<br \/>$s0 = “bang2012@protonmail.com” ascii<br \/>$s1 = “makenoise@tutanota.de” ascii<\/p>\n<p>condition:<br \/>any<br \/>}<\/p>\n<\/blockquote>\n<p><span class=\"body-subhead-title\">RondoDox Loader<\/span><\/p>\n<p>Detects attempts to fetch infection payloads. This happens POST exploitation of the above mentioned vulnerabilities.<\/p>\n<blockquote><p>rule ZTH_Malware_RondoDox_Loader_A {<br \/>meta:<br \/>description = “Detects patterns associated with the RondoDox post exploitation.”<br \/>date = “2025-09-29”<br \/>author = “Peter Girnus (@gothburz) with Trend Zero Day Initiative.”<br \/>strings:<br \/>$s0 = “#!\/bin\/sh” ascii<br \/>$s1 = “chmod 777” ascii<br \/>$s2 = “service apparmor stop” ascii<br \/>$r1 = \/\\brondo\\.\/ nocase<br \/>condition:<br \/>all of them<br \/>}<\/p><\/blockquote><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p><b>Acknowledgements<\/b><\/p>\n<p>The authors would like to acknowledge the following team members for their contributions to this project.<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">William Gamazo Sanchez<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Alfredo Oliveira<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Trend Response<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Writing Team & Trend Marketing<\/span><\/li>\n<\/ul><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>  <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/25\/j\/rondodox.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trend\u2122 Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9511,9534,9509],"class_list":["post-59483","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-threats","tag-trend-micro-research-latest-news","tag-trend-micro-research-research"],"yoast_head":"\n<title>RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2025-10-09T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/RondoDox-thumbnail:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"9 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits\",\"datePublished\":\"2025-10-09T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\\\/\"},\"wordCount\":1763,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/RondoDox-thumbnail:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Threats\",\"Trend Micro Research : Latest News\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\\\/\",\"name\":\"RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/RondoDox-thumbnail:Large?qlt=80\",\"datePublished\":\"2025-10-09T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/RondoDox-thumbnail:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/RondoDox-thumbnail:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/","og_locale":"en_US","og_type":"article","og_title":"RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2025-10-09T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/RondoDox-thumbnail:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"9 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits","datePublished":"2025-10-09T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/"},"wordCount":1763,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/RondoDox-thumbnail:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Threats","Trend Micro Research : Latest News","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/","url":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/","name":"RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/RondoDox-thumbnail:Large?qlt=80","datePublished":"2025-10-09T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/RondoDox-thumbnail:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/RondoDox-thumbnail:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59483","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=59483"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/59483\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=59483"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=59483"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=59483"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":59483,"date":"2025-10-09T00:00:00","date_gmt":"2025-10-09T00:00:00","guid":{"rendered":"urn:uuid:11e41e25-0dcd-49c9-b5e4-02a1b4ccbd36"},"modified":"2025-10-09T00:00:00","modified_gmt":"2025-10-09T00:00:00","slug":"rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/rondodox-from-targeting-pwn2own-vulnerabilities-to-shotgunning-exploits\/","title":{"rendered":"RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits"},"content":{"rendered":"