Security News Consumer/Business Routers being Exploited

[Victor M]

Content source

https://thehackernews.com/2025/11/threatsday-bulletin-ai-tools-in-malware.html

RondoDox Updates its Exploit Arsenal

The malware known as RondoDox has witnessed a 650% increase in exploitation vectors, expanding from niche DVR targeting to enterprise. This includes more than 15 new exploitation vectors targeting LB-LINK, Oracle WebLogic Server, PHPUnit, D-Link, NETGEAR, Linksys, Tenda, TP-Link devices, as well as a new command-and-control (C2) infrastructure on compromised residential IP. Once dropped, the malware proceeds to eliminate competition by killing existing malware such as XMRig and other botnets, disabling SELinux and AppArmor, and running the main payload that's compatible with the system architecture.

 

[Bot]

RondoDox Updates its Exploit Arsenal

The malware known as RondoDox has witnessed a 650% increase in exploitation vectors, expanding from niche DVR targeting to enterprise. This includes more than 15 new exploitation vectors targeting LB-LINK, Oracle WebLogic Server, PHPUnit, D-Link, NETGEAR, Linksys, Tenda, TP-Link devices, as well as a new command-and-control (C2) infrastructure on compromised residential IP. Once dropped, the malware proceeds to eliminate competition by killing existing malware such as XMRig and other botnets, disabling SELinux and AppArmor, and running the main payload that's compatible with the system architecture.

Thanks for sharing this update on RondoDox, Victor M. That's a pretty alarming escalation—going from niche DVR exploits to hitting big players like Oracle WebLogic and a bunch of router brands (LB-LINK, D-Link, NETGEAR, etc.) shows how these threats are evolving to cast a wider net. The 650% jump in vectors is no joke, especially with that sneaky C2 setup on residential IPs, which makes it harder to trace and block.

It's interesting (and concerning) how it clears out competitors like XMRig and disables defenses like SELinux/AppArmor before deploying its payload. This kind of behavior reminds me of how botnets like Mirai have adapted over time to maximize control.

For anyone reading: If you're managing enterprise setups or even home routers from those brands, double-check for firmware updates and consider network segmentation to limit lateral movement. Has anyone here encountered RondoDox in the wild or have tips on monitoring for these kinds of IoT/enterprise exploits?

 

[Victor M]

Researchers Warn RondoDox Botnet is Weaponizing Over 50 Flaws Across 30+ Vendors

RondoDox expands to exploit 56 flaws across 30 vendors, fueling global IoT botnet attacks.

thehackernews.com

Oct 13, 2025Ravie LakshmananNetwork Security / Botnet

Malware campaigns distributing the RondoDox botnet have expanded their targeting focus to exploit more than 50 vulnerabilities across over 30 vendors.

The activity, described as akin to an "exploit shotgun" approach, has singled out a wide range of internet-exposed infrastructure, including routers, digital video recorders (DVRs), network video recorders (NVRs), CCTV systems, web servers, and various other network devices, according to Trend Micro.

The cybersecurity company said it detected a RondoDox intrusion attempt on June 15, 2025, when the attackers exploited CVE-2023-1389, a security flaw in TP-Link Archer routers that has come under active exploitation repeatedly since it was first disclosed in late 2022.

RondoDox's expanded arsenal of exploits includes nearly five dozen security flaws, out of which 18 don't have a CVE identifier assigned. The 56 vulnerabilities span various vendors such as D-Link, TVT, LILIN, Fiberhome, Linksys, BYTEVALUE, ASMAX, Brickcom, IQrouter, Ricon, Nexxt, NETGEAR, Apache, TBK, TOTOLINK, Meteobridge, Digiever, Edimax, QNAP, GNU, Dasan, Tenda, LB-LINK, AVTECH, Zyxel, Hytec Inter, Belkin, Billion, and Cisco.

 

[Zero Knowledge]

So what's the point of HI{PS/AM/AV/Anti-Exe/Whitelisting or the other crap when your router probably has 100 exploitable bugs.

We are looking at this problem wrong IMHO. There is no point using Comodo or Appguard when your router is a POS security wise & compromised.

 

[Victor M]

It's a battle with no end. And it has multiple battle fronts. Maybe buy a router that has some protection like Asus.

 

[Digmor Crusher]

It's a battle with no end. And it has multiple battle fronts. Maybe buy a router that has some protection like Asus.

The malware known as RondoDox has witnessed a 650% increase in exploitation vectors, expanding from niche DVR targeting to enterprise. This includes more than 15 new exploitation vectors targeting LB-LINK, Oracle WebLogic Server, PHPUnit, D-Link, NETGEAR, Linksys, Tenda, TP-Link devices, as well as a new command-and-control (C2) infrastructure on compromised residential IP. Once dropped, the malware proceeds to eliminate competition by killing existing malware such as XMRig and other botnets, disabling SELinux and AppArmor, and running the main payload that's compatible with the system architecture.

Yup, all this just makes my head spin.

 

[stonjean633]

It's a battle with no end. And it has multiple battle fronts. Maybe buy a router that has some protection like Asus.

A router that has solid firmware support like Asus.
I got an Asus AX and AC router.
The AC was first released 2013. Up to now a new firmware was released Oct 2025. That's 12 years of bug fixing and improvement. Even thou it's EOL last year according to Asus, still they don't abandon their loyal customers. The Trend Micro AI is already a plus too.

 

[Sorrento]

I am certainly going to have to do some research again on routers, as I haven't done this for a while, do we have a slight list of routers that are updated frequently from users, as it is our front door!

As I changed ISP back in April I've been using the BT (PlusNet) supplied router mainly as its a new system locally & if there were issues its WAS better for their support to deal with their own router (maybe????) but its time to change. I'm looking at the 'ASUS TUF Gaming AX4200' I'm not a gamer but I like a good wireless signal which I do actually get the with standard BT router anyway, what do others think of that choice, I've used ASUS in the past.

​

 

[TairikuOkami]

My ISP never updates routers to avoid maintenance cost. It was not updated in 3 years, though the latest update is from a week ago. I can not do it, it would void TOS.

 

[ForgottenSeer 94738]

I am certainly going to have to do some research again on routers, as I haven't done this for a while, do we have a slight list of routers that are updated frequently from users, as it is our front door!

As I changed ISP back in April I've been using the BT (PlusNet) supplied router mainly as its a new system locally & if there were issues its WAS better for their support to deal with their own router (maybe????) but its time to change. I'm looking at the 'ASUS TUF Gaming AX4200' I'm not a gamer but I like a good wireless signal which I do actually get the with standard BT router anyway, what do others think of that choice, I've used ASUS in the past.

​

Fritz! offers many different routers. New operating system versions are released frequently, and routers receive updates for many years. However, I don't know if they are available in the UK.

FRITZ! - Everything for your home network

Discover FRITZ! – Find out about the versatile, user-friendly solutions for your internet connection and home networking.

fritz.com

 

[Sorrento]

Thanks I forgot about Fritz, a UK ISP Zen which are expensive but first class supplies Fritz as standard, thanks!

 

[cartaphilus]

I am certainly going to have to do some research again on routers, as I haven't done this for a while, do we have a slight list of routers that are updated frequently from users, as it is our front door!

As I changed ISP back in April I've been using the BT (PlusNet) supplied router mainly as its a new system locally & if there were issues its WAS better for their support to deal with their own router (maybe????) but its time to change. I'm looking at the 'ASUS TUF Gaming AX4200' I'm not a gamer but I like a good wireless signal which I do actually get the with standard BT router anyway, what do others think of that choice, I've used ASUS in the past.

​

Running Asus AX86 Pro and flashed it with Merlin Firmware combined with Skynet Firewall script that blocks whole nation ip ranges and detects/blocks IoT traffic. I like it so far.

Edit: I point it to nextdns via DoH rather than wasting CPU cycles running a native on router DNS blocker.

 

[Brahman]

I am certainly going to have to do some research again on routers, as I haven't done this for a while, do we have a slight list of routers that are updated frequently from users, as it is our front door!

As I changed ISP back in April I've been using the BT (PlusNet) supplied router mainly as its a new system locally & if there were issues its WAS better for their support to deal with their own router (maybe????) but its time to change. I'm looking at the 'ASUS TUF Gaming AX4200' I'm not a gamer but I like a good wireless signal which I do actually get the with standard BT router anyway, what do others think of that choice, I've used ASUS in the past.

​

If you want regular monthly updates (most of the time) you can choose a Mikrotik router. Each and every model of them gets the update at the same time, as the OS is same on every one of them. hAP ax³ is good one to start with and you have an option to enable DoH Dns like nextdns natively in it.

 

[Marko :)]

Let me start by saying this—all routers are vulnerable as much as you make them to be. In order for router to get hacked, hacker needs to get a way to it, either from compromised device, or just simply by accessing your Wi-Fi network. Once this is done, nothing is preventing a hacker from playing with it, not even the latest software update.

You can totally use discontinued router with out-of-date software without any risks as long as you protect it and your devices well. What do I mean by saying that?
1. Change username and password to something more complex
2. Password protect your Wi-Fi network, and use at least WPA2-PSK (AES) if WPA3 not available
3. Block access to router internal page on all devices except one
4. Reduce strenght of your Wi-Fi network just to cover your house
5. Enable firewall and disable UPnP; make your router not accessible from the outside web

As long as your connected devices are safe, your router is safe as well. I used ISP router from 2013 to 2021 that never saw a single update and was never hacked as I stick with those principles. I'd still use the same router probably if it wasn't limited by the speed and features. That's those are the only reasons why I got new Asus router.

 

[Sampei.Nihira]

So what's the point of HI{PS/AM/AV/Anti-Exe/Whitelisting or the other crap when your router probably has 100 exploitable bugs.

We are looking at this problem wrong IMHO. There is no point using Comodo or Appguard when your router is a POS security wise & compromised.

They are of little use if the browser is set up correctly.
The browser settings and adblock used need to be improved.
This way, there will never be any bypasses.

But if there were to be any, all those endless discussions about measures that should be improved/(forgotten) would come into play.

• Account Standard
• UAC
• AV
• Anti-Exploit
• ...................

 

[Brahman]

Let me start by saying this—all routers are vulnerable as much as you make them to be. In order for router to get hacked, hacker needs to get a way to it, either from compromised device, or just simply by accessing your Wi-Fi network. Once this is done, nothing is preventing a hacker from playing with it, not even the latest software update.

You can totally use discontinued router with out-of-date software without any risks as long as you protect it and your devices well. What do I mean by saying that?
1. Change username and password to something more complex
2. Password protect your Wi-Fi network, and use at least WPA2-PSK (AES) if WPA3 not available
3. Block access to router internal page on all devices except one
4. Reduce strenght of your Wi-Fi network just to cover your house

As long as your connected devices are safe, your router is safe as well. I used ISP router from 2013 to 2021 that never saw a single update and was never hacked as I stick with those principles. I'd still use the same router probably if it wasn't limited by the speed and features. That's those are the only reasons why I got new Asus router.

The idea that routers can only be attacked from the LAN side is not entirely correct. In fact, routers are often compromised directly from the internet without any prior access to the network. The RondoDox botnet takes advantage of over 56 vulnerabilities across more than 30 router manufacturers by targeting devices from the WAN side. These attacks are successful because many internet-facing management services are exposed by default. For example, routers often have management interfaces, such as TR-069/CWMP (port 7547), UPnP, SSH, Telnet, or HTTP/HTTPS, directly accessible from the WAN. Misconfigurations with IPv6 can completely bypass intended security measures. A specific case involved Netgear routers that allowed unrestricted WAN access via IPv6 to services intended only for LAN use. Additionally, ISP remote management protocols can create backdoor access; for instance, TR-069/CWMP, which ISPs use to manage routers remotely, has been exploited in various attacks. Gaining control of a single ISP's Auto Configuration Server (ACS) can potentially allow access to hundreds of thousands of routers at once. Zero-click exploits, which require no user interaction, pose a significant threat. For example, the DrayTek RCE vulnerability (CVE-2022-32548) can lead to complete router compromise if the management interface is exposed to the internet. The belief that discontinued routers with outdated software are safe is fundamentally flawed. A 12-year-old authentication bypass vulnerability (CVE-2021-20090) affected at least 20 Arcadyan-based router models, enabling unauthenticated remote attackers to gain root access. Issues like buffer overflows, memory corruption, and stack-based vulnerabilities in firmware cannot be fixed simply through configuration changes. It's also crucial to recognize that "Protected Devices Don't Protect the Router"; rather, it's the router that secures the devices. Once a router is compromised from the WAN side, several threats can arise, including: a) DNS hijacking that redirects traffic to attacker-controlled servers, b) man-in-the-middle attacks that intercept unencrypted traffic, c) packet capture that monitors all network activity, and d) theft of VPN credentials and installation of backdoor firmware for persistent access. Therefore, while your recommendations are necessary, they are not sufficient on their own.

PS: language is polished by an AI.

 

[Marko :)]

I am certainly going to have to do some research again on routers, as I haven't done this for a while, do we have a slight list of routers that are updated frequently from users, as it is our front door!

As I changed ISP back in April I've been using the BT (PlusNet) supplied router mainly as its a new system locally & if there were issues its WAS better for their support to deal with their own router (maybe????) but its time to change. I'm looking at the 'ASUS TUF Gaming AX4200' I'm not a gamer but I like a good wireless signal which I do actually get the with standard BT router anyway, what do others think of that choice, I've used ASUS in the past.

I'm not a gamer, but I bought AX3000 V2 because I needed a reliable and fast router with a lot of options. I'm satisfied with the product to the point I already decided my next router will be Asus. It offers way more customizability than the TP-Link router I had before. The only downside is short lasting LED indicators on the router itself. After a year and a half, three of them died. It's still under warranty but I'm not going to return it as I did return TP-Link one before for the same issue. I guess I'm out of luck with these LEDs.

My ISP never updates routers to avoid maintenance cost. It was not updated in 3 years, though the latest update is from a week ago. I can not do it, it would void TOS.

Same with mine. Behind my AX3000 V2 I have Huawei EchoLife HG8145V5 last updated in 2022.

Fritz! offers many different routers. New operating system versions are released frequently, and routers receive updates for many years. However, I don't know if they are available in the UK.

FRITZ! - Everything for your home network

Discover FRITZ! – Find out about the versatile, user-friendly solutions for your internet connection and home networking.

fritz.com

I wanted Friz! router, but they are HELLA expensive. I'm not ready to shell out more than 120€ for a router. Fritz sell for about 250€.

The idea that routers can only be attacked from the LAN side is not entirely correct. In fact, routers are often compromised directly from the internet without any prior access to the network. The RondoDox botnet takes advantage of over 56 vulnerabilities across more than 30 router manufacturers by targeting devices from the WAN side. These attacks are successful because many internet-facing management services are exposed by default. For example, routers often have management interfaces, such as TR-069/CWMP (port 7547), UPnP, SSH, Telnet, or HTTP/HTTPS, directly accessible from the WAN. Misconfigurations with IPv6 can completely bypass intended security measures. A specific case involved Netgear routers that allowed unrestricted WAN access via IPv6 to services intended only for LAN use. Additionally, ISP remote management protocols can create backdoor access; for instance, TR-069/CWMP, which ISPs use to manage routers remotely, has been exploited in various attacks. Gaining control of a single ISP's Auto Configuration Server (ACS) can potentially allow access to hundreds of thousands of routers at once. Zero-click exploits, which require no user interaction, pose a significant threat. For example, the DrayTek RCE vulnerability (CVE-2022-32548) can lead to complete router compromise if the management interface is exposed to the internet. The belief that discontinued routers with outdated software are safe is fundamentally flawed. A 12-year-old authentication bypass vulnerability (CVE-2021-20090) affected at least 20 Arcadyan-based router models, enabling unauthenticated remote attackers to gain root access. Issues like buffer overflows, memory corruption, and stack-based vulnerabilities in firmware cannot be fixed simply through configuration changes. It's also crucial to recognize that "Protected Devices Don't Protect the Router"; rather, it's the router that secures the devices. Once a router is compromised from the WAN side, several threats can arise, including: a) DNS hijacking that redirects traffic to attacker-controlled servers, b) man-in-the-middle attacks that intercept unencrypted traffic, c) packet capture that monitors all network activity, and d) theft of VPN credentials and installation of backdoor firmware for persistent access. Therefore, while your recommendations are necessary, they are not sufficient on their own.

PS: language is polished by an AI.

You are right! Routers can also be attacked from the web, but in order to be hacked, they have to be accessible from the outside web. I don't know about other countries, but here in Croatia all routers have enabled firewall by default and ISP doesn't allow access to your router from outside web. This is exactly how your network should be set up. If you can access your router internal page through the outside network, you should call your ISP immediately and demand they lock and block 80 port.
In that case you're not only vulnerable to hacking of the router, but DDoS attacks as well which might knock your internet connection offline.

I updated my post to add 5th point as I forgot it initially. Anyone following these 5 tips can never get hacked.

 

[stonjean633]

For those who are considering Asus Routers, here are the models supported by Merlin Firmware as NOT all Asus routers are flashable.

Security fixes are mostly faster and have extra features using Merlin.

 

[Marko :)]

For those who are considering Asus Routers, here are the models supported by Merlin Firmware as NOT all Asus routers are flashable.

Security fixes are mostly faster and have extra features using Merlin.

These are also supported through asuswrt-merlin.ng:

• GT-BE98/GT-BE25000
• DSL-AX82U/DSL-AX5400
• RT-AX82U v1
• RT-AX82U v2
• RT-AX92U
• TUF-AX5400 v1
• TUF-AX3000 v1
• TUF-AX3000 v2
• RT-AX58U v2
• RT-AX5400
• ZenWiFi XT8 / RT-AX95Q v1
• ZenWifi ET8 / RT-AXE95Q
• DSL-AC68U

 

[stonjean633]

These are also supported through asuswrt-merlin.ng:

• GT-BE98/GT-BE25000
• DSL-AX82U/DSL-AX5400
• RT-AX82U v1
• RT-AX82U v2
• RT-AX92U
• TUF-AX5400 v1
• TUF-AX3000 v1
• TUF-AX3000 v2
• RT-AX58U v2
• RT-AX5400
• ZenWiFi XT8 / RT-AX95Q v1
• ZenWifi ET8 / RT-AXE95Q
• DSL-AC68U

I have not personally tried this fork.
What's the difference of this with Merlin besides the extended life support?