A 9.8-CVSS vulnerability dormant since 2018 now arming a 174-CVE DDoS arsenal against 1 million+ exposed routers

Continue reading
VulnCheck's latest threat intelligence confirms that cybercriminals are actively targeting legacy ASUS routers by weaponising CVE-2018-5999, a critical unauthenticated configuration update vulnerability carrying a CVSS score of 9.8— a flaw that allows any unauthenticated remote attacker to modify router settings and execute arbitrary commands as root, without valid credentials at any stage of the exploit chain.
The RondoDox botnet exploiting this ASUS router flaw in active DDoS campaigns has been operating since mid-2025, focuses exclusively on Linux-based embedded systems, and is formally classed as a Mirai-lineage variant with a singular operational mandate: sustained volumetric denial-of-service attacks.
What distinguishes this campaign is the eight-year gap between public disclosure and first observed in-the-wild exploitation. Proof-of-concept exploit code for CVE-2018-5999 has existed since January 2018. The question this incident demands an answer to is not how the vulnerability was exploited, but why the structural conditions enabling that exploitation have been permitted to persist across more than one million consumer devices for nearly a decade.
VulnCheck's specialised canary network detected active exploitation beginning May 17, 2026. Following confirmation of in-the-wild abuse, CVE-2018-5999 was formally added to the VulnCheck Known Exploited Vulnerabilities catalogue — the firm's authoritative index of vulnerabilities with confirmed real-world exploitation evidence.
In a statement published via LinkedIn, VulnCheck CTO Jacob Baines confirmed: _"Public exploits have been available since 2018. But until now, we hadn't seen the vulnerability exploited in the wild."_
This addition to VulnCheck KEV carries institutional weight beyond the catalogue entry itself. VulnCheck's 2026 State of Exploitation research on network edge device vulnerabilities reveals that only 23.7 percent of actively exploited vulnerabilities tracked by VulnCheck appear in CISA's own KEV — meaning a significant proportion of confirmed in-the-wild exploitation receives no federal visibility and triggers no mandatory remediation timeline for government agencies or critical infrastructure operators.
CVE-2018-5999's eight-year journey from public PoC to active botnet weaponisation without appearing in CISA KEV illustrates precisely this institutional blind spot.
Understanding why this vulnerability produces such operationally decisive results requires a precise examination of the two-stage exploitation mechanism — first documented in the original AsusWRT LAN unauthenticated remote code execution advisory published by security researcher Pedro Ribeiro in January 2018.
Stage One: Unauthenticated POST and NVRAM Variable Manipulation
The AsusWRT HTTP server contains a permissive request-handling flaw inside `handle_request()` in `router/httpd/httpd.c` — the function responsible for authenticating incoming client requests. Under specific conditions, it allows an unauthenticated client to submit POST requests to protected endpoints. The VPN configuration upload handler, `do_vpnupload_post()` in `router/httpd/web.c`, processes POST data and writes NVRAM variables directly from attacker-controlled request content without validation.
This allows an unauthenticated attacker to write arbitrary NVRAM key-value pairs — specifically, setting the `ateCommand_flag` variable to `1`. This flag is a factory testing and quality-assurance diagnostic parameter embedded in AsusWRT firmware. It was never intended to be accessible on production devices, and it was not enabled by default in any firmware distributed through ASUS's official download channels.
Stage Two: `infosvr` PKT_SYSCMD Root Execution via UDP Port 9999
The AsusWRT infosvr unauthenticated root command execution exploit — documented on Exploit-DB since 2018 and available as a fully operational Metasploit module for AsusWRT LAN remote code execution — exploits the following internal mechanism:
`infosvr` is a UDP broadcast daemon running on port 9999, designed for automatic router discovery on the local subnet by ASUS configuration utilities. Its internal packet handler contains a conditional code path: if `ateCommand_flag` equals `1`, it enters a privileged execution mode — `PKT_SYSCMD` — in which any command embedded in an incoming UDP packet is passed directly to the system shell and executed as the root user.
Once Stage One has set the NVRAM flag, Stage Two is mechanically simple. The attacker sends a crafted UDP packet to port 9999 containing any shell command. The router executes it as root. Alternative post-exploitation paths include launching the Telnet daemon on a randomly selected port, establishing an interactive root shell accessible from the network — without any password reset, without any administrator alert, and without any modification to the router's web interface state that a user would observe.
The SSD Secure Disclosure advisory on the ASUS unauthenticated LAN remote command execution vulnerability further documents the `iboxPKTEx` packet structure — the header format that `infosvr` uses to parse incoming `PKT_SYSCMD` requests — confirming that the protocol implementation was a production-shipped design decision with no authentication layer.
ASUS patched these flaws in firmware version `3.0.0.4.384_10007` — exclusively for device models still within their active support cycle at the time of the January 2018 disclosure. Every ASUS router that had already reached end-of-life status before that date received no remediation, and remains fully exploitable today.
RondoDox is not a commodity botnet operating a single static payload against a known vulnerability. Trend Micro's Zero Day Initiative threat research on the RondoDox botnet campaign classifies it as a structurally sophisticated, continuously evolving mass-exploitation platform targeting internet-facing routers, DVRs, NVRs, CCTV systems, web servers, and embedded Linux devices across more than 30 distinct vendors.
Exploit Arsenal Scale and Composition
Bitsight's infrastructure analysis of the RondoDox botnet campaign — tracking exploitation activity between May 25, 2025 and February 16, 2026 — identified 174 distinct vulnerabilities deployed by RondoDox operators, comprising:
The presence of 11 exploits with no publicly documented proof-of-concept carries a direct analytical implication: RondoDox operators are either conducting independent vulnerability research, accessing private exploit markets, or maintaining undisclosed research capability. This is not typical of purely opportunistic botnet operations.
The Exploit Shotgun Operational Model
Trend Micro's ZDI analysis documents the operational model that distinguishes RondoDox from single-CVE botnets: a mass-probe architecture in which each scanning cycle simultaneously attempts exploitation across the full active CVE inventory — firing every available exploit at each discovered target and recording which achieves code execution.
Trend Micro's research confirming RondoDox's exploit shotgun targeting over 30 router vendors confirms that this "exploit shotgun" approach — probing 50+ vulnerabilities per target in parallel — maximises infection throughput against heterogeneous device populations where individual device vulnerability status is unknown in advance.
The first confirmed RondoDox intrusion attempt documented by Trend Micro occurred June 15, 2025, exploiting CVE-2023-1389 against the TP-Link Archer AX21's WAN interface — a vulnerability disclosed after the Pwn2Own Toronto event and weaponised by RondoDox within weeks of public PoC availability.
Malware Architecture and Multi-Platform Binary Deployment
The RondoDox botnet exploit arsenal propagates on Go-language core engine, identified by Trend Micro researchers in April 2025 following anomalous traffic from compromised DVR appliances across multiple geographic regions. The Go implementation provides cross-platform compilation efficiency — enabling RondoDox to ship architecture-specific binaries targeting x86_64, multiple ARM instruction set variants, MIPS, PowerPC, and legacy architectures including m68k and SPARC.
RondoDox v2's 650% exploit arsenal expansion targeting enterprise infrastructure introduces a CVE range spanning over a decade of unpatched firmware history — including CVE-2014-6271 (GNU Bash Shellshock), CVE-2018-10561 (Dasan GPON router authentication bypass), CVE-2021-41773 (Apache HTTP Server path traversal and RCE), and CVE-2024-3721 (TBK DVR command injection).
The C2 infrastructure operates exclusively through compromised residential IP addresses distributed across multiple autonomous system numbers — a deliberate architectural choice that defeats IP reputation-based blocking, since every C2 communication originates from legitimate residential ISP address space.
Persistence and Self-Healing
Post-exploitation, RondoDox deploys a lightweight persistence agent engineered to survive device reboots and firmware reset cycles. The agent polls C2 servers periodically for updated payloads and operational commands. Self-healing routines monitor for component removal and reinstall the full payload stack if any element is deleted — making manual remediation on a compromised device effectively non-persistent without full factory reset procedures.
Loader-as-a-Service Co-Packaging with Mirai
The most structurally concerning evolutionary development in RondoDox's operational model is its recent adoption of a loader-as-a-service distribution architecture that co-packages the RondoDox DDoS payload alongside Mirai and Morte botnet components. This hybrid delivery model complicates attribution, increases the infected device's utility to multiple threat actor groups simultaneously, and creates detection challenges for security tools calibrated to identify either family independently.
Differentiation from Mirai
Despite frequent classification as a Mirai variant, SC Media's coverage of the RondoDox multi-vulnerability botnet campaign notes the critical operational distinction: Mirai is a multi-function botnet capable of DDoS execution, vulnerability scanning, and secondary system exploitation. RondoDox is operationally singular — its compromised device pool exists exclusively to generate volumetric DDoS traffic on operator command. Every infected device is a dedicated attack node, not a general-purpose exploitation platform.
Prior Campaign History
Prior to activating CVE-2018-5999, RondoDox had already demonstrated cross-platform exploitation breadth. The RondoDox React2Shell campaign exploiting CVE-2025-55182 against Next.js servers demonstrated the botnet's willingness to move beyond embedded IoT devices into web server infrastructure — targeting unauthenticated server-side rendering flaws in Node.js environments. VulnCheck's analysis of the XWiki CVE-2025-24893 exploitation campaign involving RondoDox further documented its exploitation of web application vulnerabilities alongside its primary embedded device targeting.
With more than one million ASUS routers currently accessible on the public internet — confirmed through VulnCheck's canary network enumeration — the available target pool for this campaign exceeds the compromised device counts of several historically significant botnet operations at their peak.
Every device within this pool satisfies all conditions that make a target operationally ideal for RondoDox: it runs Linux, it is internet-facing, it is unpatched and unpatchable, its owner has no technical visibility into compromise, and its exploitation produces zero authentication logs or observable state change in the device management interface.
The operational arithmetic for RondoDox operators requires no sophisticated resources: a Metasploit module available since 2018, a target population exceeding one million devices, and a scanning infrastructure already operational across 174 CVEs. The only constraint on campaign scale is the bandwidth of the scanning infrastructure itself.
The RondoDox CVE-2018-5999 activation is not an anomaly — it is the statistically expected output of a structural exploitation condition quantified in VulnCheck's 2026 State of Exploitation report on network edge device vulnerabilities and end-of-life exploitation trends:
42.5% of all vulnerabilities exploited in 2025 affected devices classified as end-of-life or likely end-of-life — confirming that the EOL device population is now the primary attack surface in network edge exploitation, not current-generation supported hardware.
56% of exploited edge device vulnerabilities targeted consumer routers and globally distributed networking products — the exact device category to which ASUS's vulnerable consumer router fleet belongs.
65% of vulnerabilities exploited by botnets specifically targeted end-of-life or likely end-of-life products — confirming that botnet operators have systematically calibrated their CVE selection toward the device population with the lowest remediation probability.
23.7% of VulnCheck KEV vulnerabilities appear in CISA KEV — meaning the authoritative federal vulnerability alert mechanism provides visibility into less than one quarter of confirmed in-the-wild exploitation activity.
18 CVEs were issued by VulnCheck after detecting exploitation activity through honeypots and canary systems — confirming that exploitation frequently precedes formal CVE assignment, rendering patch-on-CVE-publication response cycles structurally inadequate.
CISA's Regulatory Response: BOD 26-02
CISA's Binding Operational Directive BOD 26-02 on mitigating risk from end-of-support edge devices — released concurrent with VulnCheck's State of Exploitation report — mandates federal agencies to inventory, remediate, or remove end-of-support edge devices from their network environments. Its jurisdictional scope does not, however, extend to the consumer and small business router population where RondoDox is currently operating against more than one million ASUS devices with zero federal enforcement mechanism.
Network-Level Exploit Indicators
The CVE-2018-5999 exploitation sequence produces detectable artifacts at the network layer for organisations with router management traffic visibility. The complete two-stage chain presents as:
Operational Defensive Constraints
The fundamental defensive limitation is architectural, not technical. End-of-life ASUS devices have no vendor-issued firmware update pathway. Every defensive control that depends on a vendor patch is structurally non-functional against this threat. Available mitigations are limited to:
Network segmentation isolating consumer routing infrastructure from internal resources. Device replacement with currently-supported hardware carrying active firmware update lifecycles. Firewall rules restricting inbound access to UDP port 9999 (`infosvr`) at the network perimeter, as permitted by the infrastructure. Unique administrative credentials on all management interfaces. Isolation of critical assets from internet-exposed IoT device segments.
For the consumer population operating the exposed ASUS fleet, none of these controls is practically accessible without vendor-provided guidance that no party is currently positioned to deliver at scale to the affected device population.

Splunk disclosed CVE-2026-20253, a critical pre-auth RCE flaw in Splunk Enterprise (CVSS 9.8) from insecure MongoDB defaults. Patches released; upgrade to 9.1.8, 9.2.5, or 9.3.2.